{"name":"IronWorm - npm Supply Chain Worm - campaign","description":"# Executive Threat Brief (CISO / Executive Leadership)\n\n## Campaign Snapshot\n\nIronWorm is an active npm supply chain worm caught in the wild by JFrog Security Research, distributed through 37 npm packages republished under the compromised `asteroiddao` account inside a single attack window. Unlike typical npm credential stealers built from obfuscated JavaScript, IronWorm ships as a 976 KB Rust ELF binary executed via a `preinstall` hook on `npm install`. The implant packs a custom-modified UPX stub to defeat signature-based unpackers, encrypts every internal string with a unique per-call-site key, sweeps 86 environment variables and 20+ credential file paths covering AWS, GCP, Azure, Vault, Kubernetes, npm, Docker, GitHub, and the full 2026 generation of AI provider keys (Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI), and carries an embedded eBPF kernel-level rootkit that hides its own processes, sockets, and SIGKILLs any ptrace attempt. C2 runs over Tor against a hidden service at `/api/agent`. A dedicated Exodus desktop wallet hook weakens Electron sandboxing to capture the seed mnemonic at unlock time. The operator hardcoded their own BIP-39 recovery phrase in the wallet-stealer skip list — a rehearsal-grade mistake from an otherwise sophisticated build.\n\nBusiness risk is immediate. The `preinstall` hook fires on `npm install` — the package does not need to be imported. Every Linux developer machine or CI runner that resolved an affected version must be treated as fully compromised: GitHub tokens, AWS/GCP/Azure credentials, Kubernetes service account tokens, HashiCorp Vault tokens, npm tokens, and AI provider API keys are all in scope for rotation. Persistence on local hosts runs through the eBPF rootkit. On stock Linux without kernel lockdown enabled, the rootkit hides the implant's own processes, TCP connections, and netlink socket entries from standard tooling. `npm uninstall` does not remove the rootkit.\n\nPropagation runs through npm Trusted Publishing OIDC token exchange — the same mechanism Mini Shai-Hulud used against TanStack in May 2026. On any CI runner with active OIDC federation, the worm exchanges the runner's identity token for a short-lived, package-scoped publish token via npm's `/-/npm/v1/oidc/token/exchange/package/<pkg>` endpoint and republishes itself under whichever maintainer namespace the runner can reach. No stored npm credential is required. No CVE has been assigned. Traditional CVE-based scanning had zero detection surface for IronWorm at the point of compromise.\n\nGitHub repository poisoning runs in parallel: 57 backdated malicious commits were pushed across 9 compromised organizations (`ocrybit`, `asteroid-dao`, `alisista`, `warashibe`, `kakedashi-hacker`, `weavedb`, `ArweaveOasis`, `arthursimao`, `mlebjerg`), with commit timestamps copied from each repository's most recent legitimate commit so changes appeared backdated by up to 13 years. Author identities were spoofed as `claude@users.noreply.github.com` for build-system modifications and as `dependabot[bot]`, `renovate[bot]`, or `github-actions[bot]` for workflow file replacements. The cleanup that followed JFrog's disclosure deprecated the malicious npm versions and removed most malicious commits, but was incomplete — the compromised account had approximately 4,500 contributions to private projects in the same month, so the public scope is a lower bound.\n\nCredit: this campaign was discovered and primarily analyzed by JFrog Security Research."}