A new supply-chain attack has infected 36 npm packages with IronWorm, an infostealer that targets developer secrets, cloud credentials, SSH keys, and cryptocurrency wallet files. JFrog says the Rust-based malware hides behind an eBPF kernel rootkit, uses Tor for communication, and self-propagates by abusing stolen npm publishing credentials. #IronWorm #npm #JFrog #Rust #Tor
Keypoints
- IronWorm infected 36 packages on the npm index.
- The malware steals environment variables and credential files containing sensitive keys and secrets.
- JFrog found that IronWorm is written in Rust and hides behind an eBPF kernel rootkit.
- The attack can spread by using stolen npm publishing credentials, including Trusted Publishing secrets.
- Researchers linked the initial compromise to the account named βasteroiddaoβ and noted similarities with Shai Hulud and TeamPCP.