SOC Incident Toolkit
Back to Campaigns
Worm in the Registry: IronWorm's Rust-Powered npm Supply Chain Assault on Developer Credentials

Worm in the Registry: IronWorm's Rust-Powered npm Supply Chain Assault on Developer Credentials

IronWormTeamPCPeBPF RootkitShai-HuludWeaveDB

IronWorm is a self-propagating Rust infostealer and supply chain worm targeting the Arweave/WeaveDB ecosystem via 36 trojanized npm packages. It executes a 976 KB Linux ELF binary via npm preinstall hooks without user interaction, harvesting secrets from 86 environment variables and 20 credential paths across cloud, AI, and CI/CD platforms. Protected by a Linux eBPF rootkit and exfiltrating data over Tor, it uses stolen credentials to forge backdated GitHub commits and publish further malicious packages to the npm registry.

Indicators of Compromise

Hashes (7)

a8f0c75a77698759413dbadcb99b62709816ed42fd64413119575fa119eaa9f94d32208c7d91679610c619e75181d07ddcccb5c1f62766c85fef08dfbbbca2ddaa5d8feaa63e36b76fdaad77386f024fde0fac2e4500dabe0009e67214ff5f5447ce83dd5d7c93caf50a447a8d48cafe2e5cff6b47618b130fe6a098fe698e586188e0f2e851ef43f1a35958

APT Groups

TeamPcp

Notes

<p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">NOTES / CONCLUSION</span></p><br><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">IronWorm represents a significant technical evolution in npm supply chain attacks, combining a Rust-based infostealer, a Linux eBPF kernel rootkit, Tor-based C2, timestamp forgery, and npm Trusted Publishing OIDC abuse into a single, coherent self-replicating implant. Unlike earlier JavaScript-based npm stealers, the use of a compiled Rust ELF binary with per-call-site string encryption and a modified UPX stub makes static analysis substantially more difficult. The malware targeted the most valuable credentials in a 2026 developer environment: 86 environment variables spanning cloud providers, AI APIs (Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, xAI), CI/CD systems, and Kubernetes, in addition to dedicated Exodus cryptocurrency wallet exfiltration. While OX Security confirmed the campaign was contained before spreading to higher-traffic packages, the compromised account's approximately 4,500 private contributions suggest the true impact scope may exceed the 36 confirmed public packages.</span></p><br><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The shared commit author name "claude" and architectural overlaps with the Shai-Hulud worm family suggest a potential connection to the TeamPCP threat actor group, though no direct link has been confirmed as of publication.</span></p><br><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">SOCRadar<a href="https://socradar.io/free-tools/ioc-radar" style="color: rgb(59, 130, 246);"> </a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/free-tools/ioc-radar" style="color: rgb(59, 130, 246);">IOC Radar </a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">continuously monitors indicators linked to active npm supply chain campaigns. The Cyber Threat Intelligence module provides real-time tracking of supply chain threat actor evolution, including Shai-Hulud/IronWorm lineage and associated infrastructure. Attack Surface Management enables identification of software dependencies on affected npm packages within organizational digital footprints. </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/glossary/dark-web-monitoring/" style="color: rgb(59, 130, 246);">Dark Web Monitoring</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/glossary/dark-web-monitoring/" style="color: rgb(59, 130, 246);"> </a>tracks underground activity related to stolen developer credential markets and AI API key trafficking.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div>

Mitigation

<table style="border-width: medium; border-style: none; border-color: currentcolor; border-image: initial; border-collapse: collapse;"><tbody><tr style="height: 24.75pt;"><td style="vertical-align: top; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="vertical-align: top; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td><td style="vertical-align: top; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ID</span></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(181, 212, 244); background-color: rgb(12, 68, 124); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Supply Chain Compromise: Compromise Software Supply Chain</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1195/002/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1195/002 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(206, 203, 246); background-color: rgb(60, 52, 137); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interpreter</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1059/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1059 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(206, 203, 246); background-color: rgb(60, 52, 137); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Software Deployment Tools</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1072/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1072 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(250, 199, 117); background-color: rgb(99, 56, 6); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Unsecured Credentials: Credentials in Files</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1552/001/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1552/001 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(250, 199, 117); background-color: rgb(99, 56, 6); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Unsecured Credentials: Environment Variables</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1552/007/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1552/007 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(245, 196, 179); background-color: rgb(113, 43, 19); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Rootkit</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1014/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1014 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(245, 196, 179); background-color: rgb(113, 43, 19); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Masquerading</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1036/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1036 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(245, 196, 179); background-color: rgb(113, 43, 19); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Indicator Removal: Timestomp</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1070/006/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1070/006 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(159, 225, 203); background-color: rgb(8, 80, 65); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Compromise Host Software Binary</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1554/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1554 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(192, 221, 151); background-color: rgb(39, 80, 10); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command &amp; Control</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Proxy: Tor</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1090/003/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1090/003 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(247, 193, 193); background-color: rgb(121, 31, 31); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exfiltration</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exfiltration Over C2 Channel</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1041/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1041 ↗</span></a></p></td></tr><tr style="height: 30pt;"><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(211, 209, 199); background-color: rgb(68, 68, 65); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Lateral Movement</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Valid Accounts</span></p></td><td style="vertical-align: middle; background-color: rgb(239, 239, 239); padding: 8pt 9pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.38;"><a href="https://attack.mitre.org/techniques/T1078/" style="color: rgb(59, 130, 246);"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1078 ↗</span></a></p></td></tr></tbody></table>