IronWorm self-propagating malware hits 36 npm packages (2026)

On 4 June 2026, researchers at JFrog disclosed IronWorm, a self-propagating supply-chain attack that infected 36 packages on the npm registry with infostealer malware. Unlike typical obfuscated-JavaScript npm threats, IronWorm is written in Rust and hides inside a binary executable triggered by an install script, communicating with its operator over the Tor network.

What happened

According to JFrog, the campaign began from a compromised npm account named asteroiddao, which published package versions carrying a Rust ELF binary executed during installation. The malware harvests dozens of environment variables and credential files that may contain OpenAI, AWS, Anthropic, and npm tokens, vault configuration files, SSH keys, and cryptocurrency wallet files.

Crucially, IronWorm self-propagates: once it lands in a developer or CI environment, it uses stolen npm credentials — including secrets tied to npm's Trusted Publishing workflow — to publish trojanized versions of packages the victim owns, infecting further developers and pipelines downstream. JFrog published the full list of affected packages and urged developers to upgrade to fixed releases, rotate keys, and enable two-factor authentication.

Why it matters

A worm that turns each compromised maintainer into a launchpad for the next is the supply-chain nightmare scenario: the blast radius grows automatically, and stolen CI tokens let it jump from one trusted publisher to another. IronWorm's use of a compiled Rust binary and Tor command-and-control also raises the bar for detection compared with the script-based package attacks defenders have grown used to.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/

thehackernews.comhttps://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html

darkreading.comhttps://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain

ox.securityhttps://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/

Related incidents

Zero-dayOngoingJune 10, 2026

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.

Victim: Microsoft Defender

Zero-dayContainedJune 9, 2026

Google patches actively exploited Chrome V8 zero-day (CVE-2026-11645)

Google shipped an emergency Chrome update fixing CVE-2026-11645, a high-severity out-of-bounds memory flaw in the V8 engine that lets a crafted web page run arbitrary code and for which an exploit already exists in the wild.

Victim: Google Chrome

Zero-dayOngoingJune 5, 2026

Cisco SD-WAN Manager zero-day exploited in the wild (CVE-2026-20245)

Cisco warned that an unpatched high-severity zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) was being actively exploited to execute arbitrary commands and escalate to root, after Mandiant reported a limited number of real-world attacks.

Victim: Cisco Catalyst SD-WAN Manager

Zero-dayOngoingJune 2, 2026

Google patches actively exploited Android zero-day (CVE-2025-48595)

Google's June 2026 Android security update fixed 124 vulnerabilities, including CVE-2025-48595, an actively exploited integer-overflow flaw in the Android Framework that lets a local attacker escalate privileges without user interaction.

Victim: Google Android