Introduction to IronWorm Malware
A recently discovered supply-chain attack has compromised 36 packages on the Node Package Manager (npm) index with a new type of infostealer malware known as IronWorm. According to researchers at JFrog, a supply-chain and devops company, IronWorm is written in Rust and targets 86 environment variables and 20 credential files that may contain sensitive information such as OpenAI, AWS, Anthropic, and npm credentials, as well as vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.
Technical Details of IronWorm
IronWorm hides behind an eBPF kernel rootkit and communicates with its operator over the Tor network. The malware self-propagates by using stolen credentials to publish trojanized versions of packages on npm, including those associated with npm's Trusted Publishing workflow. This allows it to infect additional developers and CI systems. The behavior of IronWorm is conceptually similar to that of Shai Hulud, another malware that had its code published on GitHub recently.
Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This suggests that IronWorm may be an evolution of TeamPCP's payload, as it appears to be a custom, carefully built implant from an operation with its own infrastructure.
Attack Vector and Mechanism
The latest attack started from a compromised account named 'asteroiddao,' which published package versions containing the Rust ELF binary executed via 'preinstall,' pushing malicious commits into repositories. The commit author appears as 'claude,' and the timestamps point to several years ago, up to 13 years in some cases, even though they were pushed in the past few days. This is likely an attempt to evade investigation.
One notable element in JFrog's findings is a mechanism that relies on GitHub Actions to deliver stolen secrets. The malware serializes the secrets into a single value and writes it to a file with a harmless-looking name, as if it were lint or formatting output. The last step of the process is uploading the file as a build artifact, which can be downloaded by anyone with access. However, the researchers note that this delivery mechanism has not been used in the analyzed IronWorm supply-chain attack.
Impact and Mitigation
Application security company Ox Security reports that the IronWorm attack was detected early and stopped before it spread to more popular packages on npm. The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts.
In a related development, Endor Labs and StepSecurity have spotted a similar but distinct attack involving a JavaScript-based malware named binding.gyp, which performs registry poisoning and GitHub Actions infection, unfolding during the same time-frame.
Conclusion and Recommendations
The IronWorm malware attack highlights the importance of vigilance and proactive security measures in the software development and deployment process. Developers and organizations must remain aware of the evolving threat landscape and take steps to protect their packages, credentials, and infrastructure from such attacks.
- Upgrade to fixed releases of affected packages
- Rotate keys and credentials
- Enable two-factor authentication (2FA) for all accounts
Source: BleepingComputer