JFrog tied the supply-chain attack to 36 Arweave-related packages republished via a compromised asteroiddao npm account, enabling credential theft, GitHub tampering, Tor-based command and control and eBPF rootkit persistence.
SlowMist warned that a Rust supply-chain malware campaign called IronWorm is targeting developer environments and the Web3 ecosystem through malicious npm packages. JFrog later linked the campaign to 36 packages tied to the Arweave and WeaveDB ecosystem that were republished through a compromised “asteroiddao” maintainer account, with the malware configured to run via a preinstall hook. According to the researchers, the attack can steal credentials, wallet mnemonics and passwords, SSH keys, Exodus wallet files, CI/CD secrets, AWS tokens, Anthropic and OpenAI API keys, and npm authentication data; it can also use stolen GitHub tokens to tamper with repositories and publish further malicious packages. The campaign used Tor-based command and control and an eBPF kernel rootkit for stealth, highlighting the broader risk that poisoned software dependencies can spread from developer machines into code repositories and deployment pipelines.