IronWorm: Rust-built npm worm with eBPF rootkit and Tor C2 hits 36+ Arweave/WeaveDB packages
JFrog disclosed on 2026-06-04 that a single compromised npm account (asteroiddao, tied to Arweave/WeaveDB maintainer ocrybit) was used to push malicious versions of 36+ packages carrying IronWorm — a Rust ELF infostealer that loads an eBPF rootkit, exfiltrates over Tor, harvests Exodus crypto wallets, and republishes itself via stolen npm OIDC trust.
- Detected by
- JFrog · SlowMist · Phoenix Security · Aikido Security
- Also known as
- IronWorm
- Ecosystems
- npm
- Packages tracked
- 4
What happened
On 2026-06-04 JFrog Security Research disclosed IronWorm, a Rust-built self-propagating npm worm published from the asteroiddao npm account. asteroiddao corresponds to the Arweave-ecosystem asteroid-dao GitHub organisation; investigators traced the compromise to maintainer ocrybit, an Arweave/WeaveDB contributor whose credentials were stolen and replayed against npm and GitHub. SlowMist independently flagged the same wave the same day, framing it as a Web3-ecosystem campaign. Phoenix Security, BleepingComputer, Dark Reading, and SC Media each published parallel coverage within 24 hours and converged on a final scope of 36–37 packages.
Rust ELF + eBPF rootkit + Tor C2
Unlike the Bun-runtime Mini Shai-Hulud / Miasma lineage, IronWorm ships a 976KB Rust-compiled Linux ELF binary in each package's tools/ directory, executed via a preinstall lifecycle hook. The implant loads an eBPF program that hooks getdents64, read, and the socket family — hiding its own process entry, network connections, and on-disk artefacts from ps, ss/netstat, and lsof. The C2 channel is a Tor hidden service, so the operator endpoint is not visible to perimeter NetFlow or DNS logging.
The stealer module scans for 86 environment variables and 20 credential files. Targets explicitly named by JFrog include AWS access keys, Anthropic API keys, OpenAI API keys, npm _authToken, HashiCorp Vault configuration files, SSH private keys, GitHub PATs, and the Exodus desktop wallet vault — the explicit crypto-wallet targeting is what makes this campaign distinct from the credential-only Miasma waves.
Worm propagation via npm Trusted Publishing
IronWorm self-spreads by exfiltrating npm session tokens and replaying them against npm Trusted Publishing (OIDC). The implant enumerates every package the victim can publish, injects the same preinstall + tools/<binary> pair, and republishes — producing valid SLSA provenance attestations under the legitimate publisher trust. JFrog correlated this against GitHub Audit Log and found 57 backdated commits across 9 organisations, each crafted to look like routine maintenance from claude, dependabot, or github-actions bot identities. Reviewers scanning recent commits for unusual authors would see nothing suspicious.
Affected packages
The most confirmed list of victim packages comes from JFrog's IOC table and Phoenix Security's 37-package summary. The wave is concentrated in the Arweave / WeaveDB ecosystem, an ecosystem heavily used by Web3 dApps and decentralised database projects. SlowMist's same-day write-up specifically warns Web3 teams to audit their build pipelines.
- No CVE or GHSA has been assigned at time of cataloguing; npm pulled the malicious tarballs the same day, but cached versions remain in lockfiles and CI image caches.
- IronWorm shares the credential-theft and self-propagation pattern of Shai-Hulud — JFrog calls it "Shai-Hulud's rustier cousin" — but is implemented in a different language and uses an eBPF rootkit and Tor C2 not seen in any prior Mini Shai-Hulud / Miasma wave.
- Affected version list is approximate where exact numbers were not published; users should pin BELOW the 2026-06-04 publish wave on every listed package.
Affected packages (4)
- npm
arnext0.1.5 - npm
atomic-notes0.5.3 - npm
roidjs0.1.7 - npm
weavedb-lite0.1.1
Impact
preinstallhook drops and executes a 976KB Rust ELF binary from the package'stools/directory on everynpm install- eBPF kernel rootkit hides the IronWorm process, network sockets, and on-disk artefacts from
ps,ss/netstatandlsof— defenders on a compromised host see nothing in standard tooling - Tor-based C2: the implant connects to a hidden
.onionoperator endpoint, meaning egress filters that allow Tor (or that allow any unauthenticated outbound on a build host) cannot detect the channel by destination IP - Stealer enumerates 86 environment variables and 20 credential files: OpenAI / Anthropic API keys, AWS access keys, npm tokens, HashiCorp Vault config, SSH keys, GitHub PATs, Exodus desktop wallet vaults
- Self-propagation: stolen npm OIDC tokens are replayed against npm Trusted Publishing to republish every package the victim can write to — JFrog found 57 backdated commits forged across 9 GitHub organisations under spoofed
claude,dependabot, andgithub-actionsidentities - Web3 / Arweave ecosystem targeting: the
asteroiddaoaccount ships WeaveDB SDKs,arnext,aonote,cwao,roidjs,wao,zkjson, and other Arweave-adjacent libraries that are widely used in DeFi and dApp projects
What to do
- 1Audit npm lockfiles and CI image caches for any version of
weavedb-sdk,weavedb-sdk-base,weavedb-client,weavedb-lite,arnext,aonote,cwao,roidjs,wao,zkjson,fpjson-lang,atomic-notespublished on or after 2026-06-04 — downgrade to the last clean release predating that date - 2On any Linux host that ran
npm installfor an affected package: assume kernel-level compromise. The eBPF rootkit hides IronWorm fromps/ss/lsof. Re-image rather than attempt in-place clean-up - 3Block egress to Tor (entry guards /
torASN) from build runners and developer workstations; the C2 channel relies on hidden services - 4Inspect package tarballs for a
tools/directory containing a 976KB Linux ELF binary executed bypreinstall— JFrog's post lists the IOC hashes - 5Rotate every secret reachable from any host that installed an affected version: AWS, GCP, Azure, npm publish tokens, GitHub PATs, OIDC trust relations, Anthropic/OpenAI API keys, SSH keys
- 6Move any Exodus desktop wallet seed/keystore to cold storage and re-derive accounts; the implant exfiltrates the wallet vault directly
- 7Search GitHub Audit Log for backdated commits attributed to bot identities (
claude,dependabot,github-actions) in any repository owned by your organisation since 2026-06-01 — JFrog observed 57 such forgeries across 9 orgs
References
- JFrog Security ResearchIronWorm: Shai-Hulud's rustier cousinresearch.jfrog.com
- Phoenix SecurityIronWorm (No CVE): Rust-Built npm Worm Ships an eBPF Rootkit, Tor C2, and a Self-Propagating Supply Chain Implant Across 37 Packagesphoenix.security
- BleepingComputerNew IronWorm malware hits 36 packages in npm supply-chain attackbleepingcomputer.com
- Dark ReadingRust-Written IronWorm Hits NPM Supply Chaindarkreading.com
- OX SecurityIronWorm Supply Chain Malware Hits npmox.security
- The Hacker NewsIronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacksthehackernews.com
- SC MediaIronWorm malware, similar to Shai-Hulud, hits 57 projects across 9 organizationsscworld.com
- CryptopolitanAttackers trojanized Arweave's WeaveDB npm package to deploy malwarecryptopolitan.com
- CryptoTimesIronWorm Malware Targets Web3 Developers via Compromised npm Packagescryptotimes.io
- Aikido SecurityAikido Security alert: IronWorm supply-chain attack on asteroiddao npm packagesx.com