Attackers uploaded 36 malicious npm packages carrying a new malware strain called IronWorm, putting developers and continuous integration systems at risk if they installed the poisoned versions. JFrog says the Rust-based malware steals 86 environment variables and 20 credential-file types, including AWS, OpenAI, Anthropic, npm, SSH, vault, and crypto-wallet data; it was first linked to the compromised npm account 'asteroiddao' and can self-propagate by abusing stolen npm publishing and Trusted Publishing secrets to push trojanized package updates.
Why it matters: This can spread from one compromised developer or build system into many other packages and organizations, making it a high-priority software supply-chain threat. Developers and defenders should identify any affected package versions, upgrade to clean releases, rotate exposed credentials, review GitHub Actions and npm publishing tokens, and enforce two-factor authentication.
Bill Toulas
2026.06.04
100% relevant
The article establishes a distinct npm supply-chain incident centered on the newly identified IronWorm malware and a specific set of 36 compromised packages, rather than merely revisiting the earlier Shai-Hulud or other npm package hijacking events.
← Back to all stories