IronWorm malware plants rootkit in Arweave ecosystem npm libraries

Attackers planted an infostealer inside 36 npm packages linked to the Arweave ecosystem. It targeted developer credentials, SSH keys, and Exodus crypto wallet files. Security firm JFrog traced the attack back to a compromised maintainer account.

The malware is called IronWorm, and its built using Rust. It activates the moment a developer installs an npm package. Once running, it scans through the infected computer for 86 environment variables and 20 credential files, as JFrog’s research team found. It goes after AWS tokens, Anthropic and OpenAI API keys, npm authentication credentials, and crypto wallet data.

Arweave project packages carry hidden Rust malware

Attackers comproimised an npm account called “asteroiddao,” which belongs to the asteroid-dao GitHub group, part of the Arweave/WeaveDB decentralized database project.

All packages associated with the “asteroiddao” account were republished within a short time, with each new version containing a 976 KB Linux file located in a tools/ directory.

The file was set to run automatically through a preinstall hook in package.json, meaning it launched before npm even began installing anything. All a victim had to do was run npm install.

JFrog’s team pulled the file apart and found it had been packed in a way designed to fool standard unpacking tools. Inside was a large Rust program that kept its strings encrypted individually, with each one locked separately, making analysis much harder.

When those strings were finally decoded, they revealed GitHub API endpoints, paths to credential files, fake bot accounts linked to real GitHub user IDs, and templates for injecting malicious code into other package registries.

Stolen GitHub tokens let malware push commits and infect more repos

After harvesting credentials, IronWorm used them to push commits into repositories the victim could access. Those commits planted the same malicious binary into other packages, which could then be published to npm and compromise the next developer in the chain.

JFrog found 57 backdated malicious commits across nine GitHub organizations. The commits used the author name “claude” with the email claude@users.noreply.github.com. Timestamps were forged to match each repository’s most recent legitimate commit. One appeared to date back 13 years, though GitHub Actions logs confirmed all pushes happened within a few days of discovery.

The affected organizations included asteroid-dao, weavedb, ArweaveOasis, and several personal accounts associated with the developer “ocrybit.”

IronWorm also deployed an eBPF kernel rootkit to hide on infected machines. Communications to its operator routed through the Tor network. The Rust compiler left the rootkit’s source code in the binary, an operational mistake that made analysis easier.

One oddity is that the operator hardcoded their own cryptocurrency wallet recovery phrase into the malware. JFrog concluded this was a safeguard to prevent the stealer from exfiltrating the attacker’s own credentials during testing.

Malware attacks keep hitting npm

Application security firm Ox Security said that the attack was caught early, before it could spread to more packages on npm.

The malicious versions were marked as deprecated within a day and most of the backdated commits were removed from GitHub shortly after.

On May 14, hackers exploited an inactive maintainer account for node-ipc, a package with more than 822,000 weekly downloads. The exploit was accomplished by re-registering the maintainer’s expired email domain and resetting the npm password. Three compromised variants had credential stealing payloads aimed at over 90 categories of developer secrets.

Security firms Endor Labs and StepSecurity identified a concurrent but distinct attack using JavaScript-based malware called binding.gyp, which performed similar registry poisoning and GitHub Actions infection during the same timeframe.

Developers who installed any of the affected WeaveDB packages should rotate all credentials, check lock files for unexpected version changes, and enable two-factor authentication on npm and GitHub accounts.