New IronWorm malware hits 36 packages in npm supply-chain attack

Key Points:

• A new supply-chain attack has compromised 36 npm packages with the IronWorm infostealer malware, targeting sensitive environment variables and credential files.
• The malware can publish trojanized package versions, potentially infecting additional developers and CI systems, while utilizing a stealthy delivery mechanism through GitHub Actions.
• Recommended actions include upgrading to fixed package releases, rotating keys, and enabling two-factor authentication (2FA) for all accounts.

Technical Details: IronWorm is written in Rust and employs an eBPF kernel rootkit for stealth. It communicates over the Tor network and self-propagates using stolen credentials associated with npm's Trusted Publishing workflow.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1078 - Valid Accounts (Defense Evasion, Initial Access)
• T1046 - Network Service Discovery (Discovery)

IOCs Mentioned: None mentioned