JFrog researchers discovered a sophisticated supply chain attack in which a compromised npm account named asteroiddao was used to inject IronWorm — a Rust-based information stealer equipped with an eBPF kernel rootkit — into 36 npm packages. The malicious packages included backdated commit timestamps reaching up to 13 years into the past to disguise newly injected code as long-established, trusted software.
IronWorm’s Technical Architecture: eBPF Rootkit, Tor C2, and Backdated Commits
IronWorm represents a qualitative step beyond typical npm supply chain malware. Where most package-based infostealers rely on obfuscation and process hiding, IronWorm deploys an eBPF kernel rootkit to conceal itself from standard process listings and file system inspection tools — the same visibility layer that most security monitoring software uses to detect running processes. Combined with command-and-control communications routed through the Tor network, the malware is designed to operate inside compromised developer environments while remaining invisible to both the developer and to most endpoint security products that do not specifically monitor for eBPF-based rootkit behavior.
The backdating of commit timestamps — in some cases appearing to show contributions made as far back as 13 years ago — exploits the trust heuristic that developers and automated security tools apply to packages with long, apparently stable histories. A package appearing in commit logs since 2013 receives less scrutiny than one created last week, even if the malicious payload was introduced in a recent push to the repository.
The commit author in the malicious pushes was recorded as “claude” — a name chosen to blend into repositories where AI tooling integration is common and commits from AI-assisted development workflows would not be unusual. Malicious payloads were executed via the npm preinstall hook, which runs before any manual inspection of installed package contents.
IronWorm’s 86-Variable Credential Scope: OpenAI, Anthropic, and AWS API Keys
IronWorm targets 86 environment variables and 20 credential files, with a specifically curated target list optimized for maximum financial and infrastructure impact from a single developer workstation compromise. Credential targets include API keys for OpenAI and Anthropic, AWS access credentials, npm authentication tokens, SSH private keys, HashiCorp Vault configuration files, and Exodus cryptocurrency wallet files.
The inclusion of both OpenAI and Anthropic API credentials reflects the current operational environment for software developers: AI API keys grant not just API access but access to any proprietary models, fine-tuned deployments, and data pipelines the account holder has configured. A stolen AI API key can be immediately monetized by running inference workloads at the victim’s expense, and it provides access to any proprietary model capabilities the account holder has paid to develop.
How IronWorm Uses Stolen npm Credentials to Extend the Supply Chain Compromise
IronWorm’s most dangerous capability extends the attack well beyond the initial victim. Once the malware obtains npm credentials — including npm’s Trusted Publishing workflow secrets — it uses those credentials to publish trojanized versions of packages that the compromised developer or CI system owns. Every developer who subsequently installs those packages inherits the IronWorm payload, extending the supply chain compromise outward from the initially infected environment to every downstream consumer of the victim’s packages without requiring any additional attacker action.
This self-propagation mechanism means that the scope of the attack compounds with each infected developer: a single compromised CI pipeline can serve as a propagation vector into dozens of dependent projects, organizations, and individual developer environments.
JFrog’s Discovery of the Compromised asteroiddao Account
JFrog researchers identified the attack through analysis of the asteroiddao npm account, which served as the injection point for all 36 affected packages. All 36 packages have been identified and reported to the npm registry for removal. JFrog worked with the broader security research community on the disclosure, with OX Security, Endor Labs, and StepSecurity contributing to the investigation.
Credential Rotation and npm Security Hardening for Affected Developers
Developers who installed any of the 36 affected packages should treat all credentials accessible from the compromised environment as stolen: rotate OpenAI, Anthropic, and AWS API keys immediately; revoke and reissue npm tokens; replace SSH keys used from the affected workstation; and audit any HashiCorp Vault credentials and Exodus wallet access. The eBPF rootkit component means standard process-level inspection may not reveal an active infection — full reimaging of affected systems is the reliable remediation path.
npm account holders should enable hardware-backed two-factor authentication on all publishing accounts and audit their Trusted Publishing workflow configurations for unauthorized changes.
