IronWorm
Rust-built infostealer npm supply chain worm, identified by JFrog Security Research on 2026-06-03 as an evolved variant of the Shai-Hulud worm family. Distributed via npm packages published from the compromised `asteroiddao` account (43 packages), it targets the Arweave/WeaveDB decentralized-database and broader Web3/crypto developer ecosystem. The malicious install hook drops a ~976 KB Rust ELF (`tools/setup`, UPX-packed with overwritten magic) that harvests ~86 environment variables and 20+ credential file paths (cloud, AI API keys, SCM/registry/CI tokens, Kubernetes/Vault secrets), captures Exodus desktop wallet seed phrases, ships an eBPF kernel rootkit for process/socket hiding and anti-debugging, beacons to a Tor hidden service (/api/agent) with temp.sh fallback exfil, and self-republishes via npm OIDC Trusted Publishing. Code paths targeting PyPI, Cargo, Conan and vcpkg credentials/registries were also present. Shares Shai-Hulud tradecraft (claude@ commit spoofing, dependency-tooling masquerade, supply-chain self-propagation) but escalates to a custom native implant.
Objective
Harvest developer, cloud, AI, registry, CI/CD and crypto-wallet credentials from Web3/crypto (Arweave/WeaveDB) developers and self-propagate across npm via OIDC Trusted Publishing.
Related campaigns
Packages
- npmweavedb-sdkattributed-to
- npmweavedb-liteattributed-to
- npmweavedb-sdk-baseattributed-to
- npmtest-weavedb-sdkattributed-to
- npmweavedb-warp-contracts-plugin-deployattributed-to
- npmarnext-arkbattributed-to
- npmweavedb-consoleattributed-to
- npmarnextattributed-to
- npmroidjsattributed-to
- npmweavedb-exm-sdkattributed-to
- npmcreate-arnext-appattributed-to
- npmweavedb-toolsattributed-to
- npmwdb-coreattributed-to
- npmcwao-toolsattributed-to
- npmtest-ajsattributed-to
- npmmonadeattributed-to
- npmweavedb-exm-sdk-webattributed-to
- npmtestnpmnmpattributed-to
- npmwarp-contracts-plugin-deploy-testattributed-to
- npmwdb-cliattributed-to
- npmai3attributed-to
- npmcwao-unitsattributed-to
- npmatomic-notesattributed-to
- npmcwaoattributed-to
- npmweavedb-clientattributed-to
- npmwdb-sdkattributed-to
- npmweavedb-offchainattributed-to
- npmfpjson-langattributed-to
- npmweavedb-contractsattributed-to
- npmweavedb-node-clientattributed-to
- npmarjsonattributed-to
- npmhbsigattributed-to
- npmzkjsonattributed-to
- npmaonoteattributed-to
- npmweavedb-baseattributed-to
- npmweavedb-sdk-nodeattributed-to
- npmwaoattributed-to
Indicators
- github_repoasteroid-dao/eternal-storageindicates
- github_repoasteroid-dao/asteroid-protocolindicates
- github_repoalisista/aht-testnetindicates
- github_repoocrybit/mweb3wavesindicates
- github_repoocrybit/by-coffeescriptindicates
- file_pathtools/setupindicates
- file_path.github/scripts/precheckindicates
- file_pathq2.bpf.cindicates
- urltor://api/agentcommunicates-with
- urlhttps://temp.shexfiltrates-to
- urlhttp://127.0.0.1:8738communicates-with
- urlhttps://registry.npmjs.org/-/npm/v1/oidc/token/exchange/packagecommunicates-with
- wallet0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6indicates
- email[email protected]indicates
Techniques
- ttpT1195.002 Compromise Software Supply Chainuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1140 Deobfuscate/Decode Files or Informationuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1078 Valid Accountsuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1090.003 Proxy: Multi-hop Proxyuses
- ttpT1014 Rootkituses
- ttpT1564 Hide Artifactsuses
- ttpT1562.001 Impair Defenses: Disable or Modify Toolsuses
- ttpT1622 Debugger Evasionuses
- ttpT1098 Account Manipulationuses
- ttpT1036 Masqueradinguses
- ttpT1547.013 Boot or Logon Autostart Execution: XDG Autostart Entriesuses
- ttpT1056.001 Input Capture: Keylogginguses
