DeFi News

IronWorm Malware Targets Web3 Developers via Compromised npm Packages

Discovered by JFrog, the self-propagating infostealer deploys eBPF rootkits, steals Exodus wallets, and uses OIDC tokens to automatically infect software supply chains.

Written By:
Kenrodgers Fabian

Reviewed By:
Divya Mistry
IronWorm Malware Targets Web3 Developers via Compromised npm Packages

Key Highlights

  • IronWorm malware spreads via npm packages, targeting crypto devs and stealing wallet keys, tokens, and cloud credentials.
  • SlowMist warns Rust-based IronWorm can hijack GitHub repos and republish infected code across supply chains automatically.
  • Security firms say the attack creates a self-spreading loop, widening risk across Web3 projects and open-source ecosystems.

Security researchers have identified a new cyberattack targeting the cryptocurrency development ecosystem, warning that it is actively spreading through software tools used by developers.

In a post on X, security firm SlowMist said the malware, called IronWorm, is an advanced, Rust-based infostealer designed to slip past traditional code audits. Once installed, it is designed to steal sensitive information, including crypto wallet credentials, cloud access keys, GitHub tokens, and other development-related login details. 

The concern is that it moves through trusted software supply chains, meaning one infected package can expose multiple projects and developers. According to SlowMist and JFrog Security Research, the malware goes further than simple theft. It can alter code repositories and republish infected software, effectively helping it spread on its own. 

That creates a cycle where compromised accounts are used to distribute more malicious packages, widening the impact across open-source projects and Web3 applications. 

JFrog uncovers sophisticated attack chain

JFrog’s investigation found that the attack was distributed through npm packages linked to an account called asteroiddao. According to the findings, attackers re-uploaded legitimate-looking packages but embedded hidden Linux-based malware inside the installation files.

The infection was triggered automatically during installation through npm’s preinstall scripts. In practice, this meant developers could be compromised simply by running a normal package install. One of the packages under review, weavedb-sdk@0.45.3, drew attention after it showed unusual behavior during execution.

Further analysis showed the malware was intentionally designed to be difficult to detect. It used encrypted strings, a modified version of the UPX packing tool, and complex Rust-based code to slow down reverse engineering efforts. Once researchers managed to unpack the code, they found components linked to GitHub APIs, credential theft, and self-spreading mechanisms.

JFrog also reported 57 fake commits spread across nine different organizations. The attackers disguised these changes as routine maintenance work and attributed them to trusted automation identities such as “claude,” “dependabot,” and “github-actions,” making the activity appear legitimate at first glance.

Wallet theft and rootkit capabilities

Researchers say IronWorm is built to aggressively collect developer credentials across a wide range of systems. It goes after cloud services like AWS, container setups such as Kubernetes and Docker, AI development platforms, and cryptocurrency wallets.

The malware also includes a specific component aimed at the Exodus wallet, where it attempts to capture passwords and recovery phrases as users enter them.

Beyond data theft, it is designed to stay hidden on infected systems. Investigators found it deploys an eBPF rootkit, which allows it to conceal running processes and network activity. It also relies on Tor-based servers to receive instructions and send stolen data out of infected machines, making its traffic harder to trace.

Despite its sophistication, researchers noted operational mistakes in the code. The malware contained debugging data, and in one case exposed a hardcoded wallet recovery phrase believed to belong to the operator behind the campaign.

Supply-chain threats continue growing

IronWorm is the latest in a series of supply-chain attacks targeting software developers this year. In May, the TrapDoor campaign was reported, with attackers using npm, PyPI, and Crates.io packages to reach developers working in crypto, DeFi, artificial intelligence, and cybersecurity.

More recently, security firm SlowMist warned about another strain called Mini Shai-Hulud, which was found to have compromised more than 170 JavaScript packages. The malware spread through widely used open-source libraries, increasing the scale of exposure. Earlier in the year, attackers also breached Axios package releases after gaining access to publishing credentials..

Also Read: US Lawmakers Urge FTC to Investigate Kalshi & Polymarket’s Practices

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Fabian is Crypto Journalist at The Crypto Times
By Kenrodgers Fabian
Follow:
Kenrodgers Fabian is a Content Writer with over 3 years of experience in crypto news, data analysis, and IT. With a degree in Health Records and Information Technology, he brings a structured and analytical approach to digital reporting. Kenrodgers focuses on delivering accurate, informative content that helps readers stay updated on the latest trends in crypto and emerging technologies.
Divya Mistry - Content Editor at The Crypto Times
By Divya Mistry
Follow:
Divya Mistry is a Content Editor with over 9 years of experience in news, PR, marketing, and research. Armed with a Master’s Degree in English Literature from the University of Mumbai, she specializes in crafting and refining long-form content across digital and print platforms. Over the years, Divya has contributed to and shaped content for leading brands across a range of industries, including real estate, healthcare, vertical transport, entertainment, lifestyle, education, EdTech, tech, and finance. Her research work has been featured on platforms like DNA India, Forbes, and Elevator World India. She now brings her editorial and research skills to explore the rapidly evolving world of cryptocurrency.

Latest News

Reform UK Secures £7M More From Crypto Billionaire Donors
Reform UK Secures £7M More From Crypto Billionaire Donors 
Coinbase Lists SpaceX Pre-IPO Perpetuals After SPCX Sets $135 Price
Coinbase Lists SpaceX Pre-IPO Perpetuals After SPCX Sets $135 Price
Korea Investment to Add SpaceX Shares Ahead of IPO Debut
Korea Investment to Add SpaceX Shares Ahead of IPO Debut
Today in Crypto: Bitcoin Dips Toward $62K on Continued ETF Outflows, US Sanctions Iran’s Nobitex and More
Today in Crypto: Bitcoin Dips Toward $62K on Continued ETF Outflows, US Sanctions Iran’s Nobitex and More
Peter Schiff, CEO and Chief Global Strategist of Euro Pacific Asset Management
Peter Schiff Says USDT Market Cap Will Surpass Bitcoin and Ethereum

Find Us on Socials

You may also like