Attackers have compromised more than 50 legitimate npm packages to distribute two distinct malware strains — a self-replicating worm and a Rust-based information stealer that hides behind an eBPF kernel rootkit. The campaign, discovered by JFrog, represents one of the more sophisticated supply chain attacks to hit the JavaScript ecosystem this year.
Two Malware Families, One Attack Vector
The first threat, dubbed IronWorm by JFrog, is a self-spreading worm that propagates through the npm registry itself. It uses a compromised npm account named “asteroiddao” to publish trojanized package versions. Each malicious package contains a Rust ELF binary that executes automatically via a preinstall hook — meaning the malware runs the moment a developer installs the package.
Once active, IronWorm scrapes 86 different environment variables and credential files from the victim’s machine. It targets API keys and tokens from OpenAI Codex, Anthropic, Claude, Google Gemini, and other AI development tools. The stolen credentials then serve as a propagation mechanism, letting the worm spread to other packages the developer publishes — similar to the infamous Shai-Hulud worm that hit npm in 2023.
The second malware is a Rust-based information stealer that goes further by deploying an eBPF kernel rootkit. This gives it deep system-level access while making detection significantly harder. The stealer communicates with its operator over Tor, adding another layer of anonymity.
Why This Should Worry Every JavaScript Developer
Supply chain attacks on npm aren’t new, but the combination of techniques here is notable. The use of Rust binaries makes the malware harder to analyze than traditional JavaScript payloads. The eBPF rootkit provides kernel-level persistence that most endpoint security tools won’t catch. And the self-spreading mechanism means a single compromised developer account can cascade across hundreds of downstream projects.
The targeting of AI-related credentials is also telling. As more developers integrate AI coding assistants into their workflows, the API keys for these tools have become high-value targets. A stolen Anthropic or OpenAI key doesn’t just give access to the model — it can rack up thousands of dollars in usage charges or be used to access proprietary codebases.
What You Should Do
If you’re a JavaScript or Node.js developer, audit your project dependencies immediately. Check for any of the 50+ compromised packages — JFrog has published a full list in their advisory. Rotate any API keys or credentials that may have been exposed, especially those related to AI services.
Beyond the immediate response, this is a good reminder to lock down your npm publishing workflow. Use 2FA on your npm account, consider using provenance attributions, and be cautious about which packages you add to your projects — especially ones you don’t recognize.
What’s Next
Expect more supply chain attacks targeting AI development tooling. The concentration of valuable credentials in a small number of API keys makes them an attractive target, and the npm ecosystem’s open publishing model remains a weak link. Security researchers will likely find additional compromised packages as the investigation continues, so stay alert for updates from JFrog and the npm security team.
