Feed
CriticalPublished 4 Jun 20264 packages · 4 versions

IronWorm: Rust-built npm worm with eBPF rootkit and Tor C2 hits 36+ Arweave/WeaveDB packages

Summary

JFrog disclosed on 2026-06-04 that a single compromised npm account (asteroiddao, tied to Arweave/WeaveDB maintainer ocrybit) was used to push malicious versions of 36+ packages carrying IronWorm — a Rust ELF infostealer that loads an eBPF rootkit, exfiltrates over Tor, harvests Exodus crypto wallets, and republishes itself via stolen npm OIDC trust.

wormcredential-theftcrypto-wallet-drainmaintainer-takeoverci-cd-compromiseobfuscation
Detected by
JFrog · SlowMist · Phoenix Security · Aikido Security
Also known as
IronWorm
Ecosystems
npm
Packages tracked
4

What happened

On 2026-06-04 JFrog Security Research disclosed IronWorm, a Rust-built self-propagating npm worm published from the asteroiddao npm account. asteroiddao corresponds to the Arweave-ecosystem asteroid-dao GitHub organisation; investigators traced the compromise to maintainer ocrybit, an Arweave/WeaveDB contributor whose credentials were stolen and replayed against npm and GitHub. SlowMist independently flagged the same wave the same day, framing it as a Web3-ecosystem campaign. Phoenix Security, BleepingComputer, Dark Reading, and SC Media each published parallel coverage within 24 hours and converged on a final scope of 36–37 packages.

Rust ELF + eBPF rootkit + Tor C2

Unlike the Bun-runtime Mini Shai-Hulud / Miasma lineage, IronWorm ships a 976KB Rust-compiled Linux ELF binary in each package's tools/ directory, executed via a preinstall lifecycle hook. The implant loads an eBPF program that hooks getdents64, read, and the socket family — hiding its own process entry, network connections, and on-disk artefacts from ps, ss/netstat, and lsof. The C2 channel is a Tor hidden service, so the operator endpoint is not visible to perimeter NetFlow or DNS logging.

The stealer module scans for 86 environment variables and 20 credential files. Targets explicitly named by JFrog include AWS access keys, Anthropic API keys, OpenAI API keys, npm _authToken, HashiCorp Vault configuration files, SSH private keys, GitHub PATs, and the Exodus desktop wallet vault — the explicit crypto-wallet targeting is what makes this campaign distinct from the credential-only Miasma waves.

Worm propagation via npm Trusted Publishing

IronWorm self-spreads by exfiltrating npm session tokens and replaying them against npm Trusted Publishing (OIDC). The implant enumerates every package the victim can publish, injects the same preinstall + tools/<binary> pair, and republishes — producing valid SLSA provenance attestations under the legitimate publisher trust. JFrog correlated this against GitHub Audit Log and found 57 backdated commits across 9 organisations, each crafted to look like routine maintenance from claude, dependabot, or github-actions bot identities. Reviewers scanning recent commits for unusual authors would see nothing suspicious.

Affected packages

The most confirmed list of victim packages comes from JFrog's IOC table and Phoenix Security's 37-package summary. The wave is concentrated in the Arweave / WeaveDB ecosystem, an ecosystem heavily used by Web3 dApps and decentralised database projects. SlowMist's same-day write-up specifically warns Web3 teams to audit their build pipelines.

  • No CVE or GHSA has been assigned at time of cataloguing; npm pulled the malicious tarballs the same day, but cached versions remain in lockfiles and CI image caches.
  • IronWorm shares the credential-theft and self-propagation pattern of Shai-Hulud — JFrog calls it "Shai-Hulud's rustier cousin" — but is implemented in a different language and uses an eBPF rootkit and Tor C2 not seen in any prior Mini Shai-Hulud / Miasma wave.
  • Affected version list is approximate where exact numbers were not published; users should pin BELOW the 2026-06-04 publish wave on every listed package.

Affected packages (4)

  • npmarnext
    0.1.5
  • npmatomic-notes
    0.5.3
  • npmroidjs
    0.1.7
  • npmweavedb-lite
    0.1.1

Impact

  • preinstall hook drops and executes a 976KB Rust ELF binary from the package's tools/ directory on every npm install
  • eBPF kernel rootkit hides the IronWorm process, network sockets, and on-disk artefacts from ps, ss/netstat and lsof — defenders on a compromised host see nothing in standard tooling
  • Tor-based C2: the implant connects to a hidden .onion operator endpoint, meaning egress filters that allow Tor (or that allow any unauthenticated outbound on a build host) cannot detect the channel by destination IP
  • Stealer enumerates 86 environment variables and 20 credential files: OpenAI / Anthropic API keys, AWS access keys, npm tokens, HashiCorp Vault config, SSH keys, GitHub PATs, Exodus desktop wallet vaults
  • Self-propagation: stolen npm OIDC tokens are replayed against npm Trusted Publishing to republish every package the victim can write to — JFrog found 57 backdated commits forged across 9 GitHub organisations under spoofed claude, dependabot, and github-actions identities
  • Web3 / Arweave ecosystem targeting: the asteroiddao account ships WeaveDB SDKs, arnext, aonote, cwao, roidjs, wao, zkjson, and other Arweave-adjacent libraries that are widely used in DeFi and dApp projects

What to do

  1. 1Audit npm lockfiles and CI image caches for any version of weavedb-sdk, weavedb-sdk-base, weavedb-client, weavedb-lite, arnext, aonote, cwao, roidjs, wao, zkjson, fpjson-lang, atomic-notes published on or after 2026-06-04 — downgrade to the last clean release predating that date
  2. 2On any Linux host that ran npm install for an affected package: assume kernel-level compromise. The eBPF rootkit hides IronWorm from ps/ss/lsof. Re-image rather than attempt in-place clean-up
  3. 3Block egress to Tor (entry guards / tor ASN) from build runners and developer workstations; the C2 channel relies on hidden services
  4. 4Inspect package tarballs for a tools/ directory containing a 976KB Linux ELF binary executed by preinstall — JFrog's post lists the IOC hashes
  5. 5Rotate every secret reachable from any host that installed an affected version: AWS, GCP, Azure, npm publish tokens, GitHub PATs, OIDC trust relations, Anthropic/OpenAI API keys, SSH keys
  6. 6Move any Exodus desktop wallet seed/keystore to cold storage and re-derive accounts; the implant exfiltrates the wallet vault directly
  7. 7Search GitHub Audit Log for backdated commits attributed to bot identities (claude, dependabot, github-actions) in any repository owned by your organisation since 2026-06-01 — JFrog observed 57 such forgeries across 9 orgs

References

npm-2026-06-04-ironworm-arweave-weavedb