On June 4, JFrog Security Research published their analysis of IronWorm — a supply chain attack that compromised 37 npm packages through the asteroiddao account. A 976KB Rust ELF binary triggered by preinstall. Caught early, before spreading to popular packages. But the techniques are a step change from everything that came before.
Three things make IronWorm different.
1. It commits as "claude"
Every malicious commit pushed to victim repositories uses the author identity claude@users.noreply.github.com. The commit messages are routine: "fix: resolve lint warnings," "test: add missing edge case," "ci: update workflow configuration."
The timestamps are forged. Some are backdated 13 years. In a repo where AI-generated commits are common and legitimate, these blend in. A developer scanning git log wouldn't notice. A code reviewer seeing a commit from "claude" might assume it came from an AI coding assistant doing its job.
Social engineering adapted to the AI era. The attacker isn't pretending to be a human — they're pretending to be an AI tool the team already trusts.
2. It steals AI credentials specifically
IronWorm targets 86 environment variables and 20+ credential files. Standard targets (AWS, SSH, Docker) plus a new category:
-
OpenAI API keys (
OPENAI_API_KEY) -
Anthropic API keys (
ANTHROPIC_API_KEY) - Claude authentication files (session tokens)
- Cursor authentication files
- npm publish tokens (including Trusted Publishing OIDC tokens)
Stolen AI keys have immediate value. An OpenAI key with no spend cap runs thousands of dollars before anyone notices. An Anthropic key runs agents that escalate the attack. An npm token turns one compromised dev into a vector for every package they maintain.
The dedicated Exodus wallet module injects JavaScript to capture the password and seed mnemonic at login. This isn't a generic credential scraper — custom modules per high-value target.
3. It propagates through Trusted Publishing
npm's Trusted Publishing lets packages publish via GitHub Actions OIDC tokens instead of stored credentials. Designed to be more secure: no long-lived tokens to steal.
IronWorm doesn't need stored credentials. It modifies GitHub Actions workflows to request OIDC tokens at runtime, then publishes trojanized versions of the victim's packages with valid provenance attestations.
The result: malicious packages that pass npm audit signatures. Provenance says "published through a verified CI pipeline." It doesn't say "the CI pipeline was hijacked."
Same fundamental gap Miasma exploited with Red Hat's SLSA provenance the week before. Two independent attacks, one week apart, both defeating provenance through different mechanisms. Provenance is a chain-of-custody stamp, not a trust signal.
What behavioral scoring shows
I ran every IronWorm package through Commit's behavioral audit:
| Package | Score | Publishers | Downloads/wk | Age |
|---|---|---|---|---|
| weavedb-sdk | 53 | 1 | ~1.2k | ~4yr |
| ai3 | low | 1 | <100 | <1yr |
| atomic-notes | low | 1 | <100 | <1yr |
| cwao | low | 1 | <100 | <1yr |
| zkjson | low | 1 | <100 | <1yr |
Single publisher. Low downloads. Limited history. Every IronWorm package fits the profile behavioral scoring catches before the first install completes.
The escalation timeline
| Date | Attack | What was new |
|---|---|---|
| Mar 5 | LiteLLM | Single-package PyPI credential theft |
| Mar 30 | axios | 99M downloads/week, stolen token |
| May 11 | Shai-Hulud | Self-propagating worm, 637 packages in 39 min |
| May 22 | TrapDoor | Cross-ecosystem + AI assistant poisoning |
| Jun 1 | Miasma | Forged SLSA provenance on Red Hat packages |
| Jun 4 | IronWorm | Rust + eBPF rootkit + AI credential theft + Trusted Publishing propagation |
Each attack introduces a capability the previous one didn't have. IronWorm is the first npm supply chain malware written in Rust, first to use an eBPF kernel rootkit, first to self-propagate through Trusted Publishing OIDC.
And it specifically targets AI coding assistant credentials. The attack vector has come full circle — AI tools accelerate development, but their credentials are now high-value targets, and the tools themselves are being impersonated in commit history.
What to do
Gate your AI assistant's installs:
npx proof-of-commitment hook
Every npm install, pip install, cargo add, and go get runs through a behavioral check before execution. Packages with no history get blocked.
Audit your current dependencies:
npx proof-of-commitment --file package-lock.json
Rotate AI credentials if any IronWorm package was installed in your environment. Check for modified GitHub Actions workflows.
Don't trust provenance alone. Both Miasma and IronWorm demonstrate that valid provenance attestations can come from compromised pipelines. Provenance answers "where did this come from?" Behavioral scoring answers "should I trust it?" You need both.
Commit scores npm, PyPI, Cargo, and Go packages on behavioral commitment — signals harder to fake than stars, READMEs, or download counts. Try the audit or add the MCP server to your AI assistant.
Top comments (0)