critical Threat analysis

IronWorm npm Supply-Chain Worm Uses eBPF Rootkit

JFrog Security disclosed the IronWorm campaign, a Rust-based, self-propagating npm information-stealing worm targeting AI API keys, developer SSH/cloud credentials, and cryptocurrency wallets. The malware utilizes an eBPF rootkit for stealth and Tor for C2 communication, propagating by leveraging compromised CI/CD OIDC tokens to publish backdoored updates.

Published: 2026-06-03
Read time: 5 min read
Sources: 4

On this page 0% read

Executive Summary

On 2026-06-03, researchers from JFrog Security disclosed a highly sophisticated npm supply-chain campaign named IronWorm [Source 1]. IronWorm functions as a self-propagating infostealer targeting developer environments, cloud resources, AI API keys, and cryptocurrency wallets [Source 1] [Source 2].

The worm executes a Rust-based ELF binary via package preinstall hooks during npm install [Source 1]. Once active on a host, it deploys an eBPF (extended Berkeley Packet Filter) kernel rootkit to hide its processes and file handles from system monitors and communicates with Command-and-Control (C2) servers over the Tor network [Source 1] [Source 2]. It spreads by harvesting npm publication tokens and CI/CD OIDC tokens, using npm’s Trusted Publishing workflow to release trojanized updates under compromised maintainer accounts [Source 1] [Source 3].

Source-Watcher Candidate Queue

candidate_id: "ironworm-npm-ebpf-stealer-worm"
first_seen: "2026-06-03"
decision: "publish_ready"
relationship: "candidate_child_event_of_shai_hulud"
dedupe_keys:
  - "technique:ebpf-rootkit"
  - "npm:asteroiddao"
  - "github:ocrybit"
starting_sources:
  - "JFrog Security Research disclosure"
  - "OX Security incident intelligence"
  - "npm registry metadata"
  - "GitHub commit history for ocrybit"

Key Facts

threat_type: "malicious npm package self-propagating worm"
ecosystem: "npm"
technique: "eBPF kernel rootkit, Tor network C2, Trusted Publishing abuse"
campaign_name: "IronWorm"
related_family: "Shai-Hulud"
disclosed: "2026-06-03"
execution_trigger:
  - "npm preinstall hook"
  - "rust binary execution"
known_affected_packages:
  - "ai3"
  - "aonote"
  - "arjson"
  - "arnext"
  - "arnext-arkb"
  - "atomic-notes"
  - "create-arnext-app"
  - "cwao"
  - "cwao-tools"
  - "cwao-units"
  - "fpjson-lang"
  - "hbsig"
  - "monade"
  - "roidjs"
  - "test-ajs"
  - "test-weavedb-sdk"
  - "testnpmnmp"
  - "wao"
  - "warp-contracts-plugin-deploy-test"
  - "wdb-cli"
  - "wdb-core"
  - "wdb-sdk"
  - "weavedb-base"
  - "weavedb-client"
  - "weavedb-console"
  - "weavedb-contracts"
  - "weavedb-exm-sdk"
  - "weavedb-exm-sdk-web"
credential_risk:
  - "npm tokens"
  - "GitHub OIDC tokens"
  - "cloud provider credentials (AWS, GCP, Azure)"
  - "SSH keys"
  - "AI API keys (OpenAI, Anthropic, Gemini)"
  - "cryptocurrency wallet files"

Source Confidence and Claim Ledger

Claim	Status	Evidence
JFrog disclosed a Rust-based, self-propagating npm infostealer worm on 2026-06-03.	confirmed	JFrog’s technical writeup documents the worm behavior, its target credentials, and Rust implementation [Source 1].
The campaign uses an eBPF rootkit and Tor for C2 stealth.	confirmed	Research analysis verified the loading of custom eBPF programs to filter process monitoring syscalls and Tor network configuration [Source 1] [Source 2].
The worm propagates via npm’s Trusted Publishing workflow using stolen CI/CD OIDC tokens.	confirmed	Registry audits and commit records show automated package updates published from CI runners using OIDC authentication [Source 1] [Source 3] [Source 4].
Stolen developer credentials have been used to commit backdated code.	confirmed	GitHub commit history for user account `ocrybit` shows backdated git tree edits to hide malicious revisions [Source 1] [Source 4].

Impact Determination

Classification	Criteria	Required evidence	Handling decision	Closure condition
Confirmed compromise	Affected package version was installed and native execution or C2 traffic is observed.	Process creation logs, eBPF module load events, Tor network connection logs.	Isolate host, revoke active sessions, and rotate all credentials from a clean machine.	Complete system rebuild, token revocation logs, and downstream cloud trail audits showing zero anomalies.
Presumed exposed	Affected package name and version found in project lockfile or build log.	package-lock.json, pnpm-lock.yaml, yarn.lock, CI console logs.	Treat all reachable credentials (AWS, GCP, AI APIs, SSH) as compromised.	Full credential rotation and lockfile cleanup verified by git commit.
Potentially exposed	Dependency matches names of compromised packages, but version resolution is undetermined.	package.json dependencies, registry logs.	Verify exact resolved version in target environment.	Hit is confirmed as either clean (unaffected version) or escalated.
Not exposed	No affected package selectors or C2 indicators present in the network and workspace.	Negative audit results from endpoint and repo scans.	Maintain active monitoring for eBPF rootkit signatures.	All endpoints and code repos are scanned with negative results.

Timeline

2026-06-01 to 2026-06-03: Exposure window when compromised npm package versions were actively published to the registry [Source 3].
2026-06-03: JFrog Security publishes findings detailing the IronWorm malware campaign [Source 1].
2026-06-06: This Halting Problems refresh identified no existing post for the IronWorm campaign and added this intelligence report.

Machine-Readable Event Profile

{
  "event_id": "ironworm-npm-ebpf-stealer-worm",
  "title": "IronWorm npm Supply-Chain Worm Uses eBPF Rootkit",
  "first_seen": "2026-06-01",
  "published": "2026-06-03",
  "severity": "critical",
  "ecosystem": ["npm", "eBPF", "GitHub Actions"],
  "campaign_context": "IronWorm / Shai-Hulud",
  "affected_packages": [
    "ai3", "aonote", "arjson", "arnext", "arnext-arkb", "atomic-notes",
    "create-arnext-app", "cwao", "cwao-tools", "cwao-units", "fpjson-lang",
    "hbsig", "monade", "roidjs", "test-ajs", "test-weavedb-sdk", "testnpmnmp",
    "wao", "warp-contracts-plugin-deploy-test", "wdb-cli", "wdb-core",
    "wdb-sdk", "weavedb-base", "weavedb-client", "weavedb-console",
    "weavedb-contracts", "weavedb-exm-sdk", "weavedb-exm-sdk-web"
  ],
  "known_malicious_versions": {
    "ai3": ["0.3.5"],
    "aonote": ["0.11.1"],
    "arjson": ["0.1.4"],
    "arnext": ["0.1.5"],
    "arnext-arkb": ["0.0.2"],
    "atomic-notes": ["0.5.3"],
    "create-arnext-app": ["0.0.10"],
    "cwao": ["0.5.6"],
    "cwao-tools": ["0.3.1"],
    "cwao-units": ["0.8.3"],
    "fpjson-lang": ["0.1.7"],
    "hbsig": ["0.3.2"],
    "monade": ["0.0.7"],
    "roidjs": ["0.1.7"],
    "test-ajs": ["0.1.19"],
    "test-weavedb-sdk": ["1.1.1"],
    "testnpmnmp": ["1.0.21"],
    "wao": ["0.41.2"],
    "warp-contracts-plugin-deploy-test": ["3.0.1"],
    "wdb-cli": ["0.1.1"],
    "wdb-core": ["0.1.2"],
    "wdb-sdk": ["0.1.2"],
    "weavedb-base": ["0.45.3"],
    "weavedb-client": ["0.45.3"],
    "weavedb-console": ["0.2.1"],
    "weavedb-contracts": ["0.45.2"],
    "weavedb-exm-sdk": ["0.7.4"],
    "weavedb-exm-sdk-web": ["0.7.4"]
  },
  "known_behaviors": [
    "install-time code execution",
    "Rust binary preinstall execution",
    "eBPF kernel rootkit process hiding",
    "Tor network C2 communication",
    "OIDC Trusted Publishing token theft"
  ],
  "primary_sources": [
    "https://jfrog.com/blog/ironworm-npm-supply-chain-ebpf-stealer-worm",
    "https://www.ox.security/ironworm-malicious-npm-packages-targeting-arweave",
    "https://www.npmjs.com/",
    "https://github.com/ocrybit"
  ]
}

Indicators of Compromise

packages:
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
  - "[email protected]"
process_patterns:
  - "preinstall hook launching custom Rust binary"
  - "unusual loading of eBPF programs"
network_indicators:
  - "outbound connections to Tor network nodes"
  - "onion domains queried"

Detection and Hunting

Use the reusable audit script at scripts/threat-posts/ironworm_npm_ebpf_audit.py.

python3 scripts/threat-posts/ironworm_npm_ebpf_audit.py \
  --repo-root /srv/source-export \
  --node-modules-root /srv/build-cache-export \
  --log-dir /srv/ci-and-endpoint-logs \
  --github-audit-dir /srv/github-audit-export \
  --output hp-ironworm-ebpf-audit.json \
  --fail-on-hit

KQL: endpoint rootkit loading

DeviceProcessEvents
| where Timestamp between (datetime(2026-06-01T00:00:00Z) .. datetime(2026-06-05T23:59:59Z))
| where ProcessCommandLine has_any ("asteroiddao", "ocrybit", "ai3", "weavedb-base", "warp-contracts-plugin-deploy-test")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ReportId

Splunk: network connections to Tor nodes

index=network earliest="06/01/2026:00:00:00" latest="06/05/2026:23:59:59"
("asteroiddao" OR "ocrybit" OR "weavedb-base" OR "wdb-sdk" OR "Tor")
| table _time src_ip dest_ip dest_port bytes command status

Downstream Abuse Audits

For any confirmed execution, audit npm registry and GitHub account activity. Verify if any new repositories were created, workflows modified, or NPM packages published via OIDC Trusted Publishing. Rotate cloud access keys (AWS, GCP, Azure), AI keys (OpenAI, Anthropic, Gemini), and SSH keys immediately.

Remediation Gates

Remove compromised versions of affected packages from dependencies and package locks.
Re-resolve dependencies using a clean registry cache.
Revoke npm publication tokens and GitHub classic/fine-grained tokens.
Rotate any keys harvested from the target endpoint.