{
  "title": "IronWorm npm Supply-Chain Worm Uses eBPF Rootkit",
  "summary": "JFrog Security disclosed the IronWorm campaign, a Rust-based, self-propagating npm information-stealing worm targeting AI API keys, developer SSH/cloud credentials, and cryptocurrency wallets. The malware utilizes an eBPF rootkit for stealth and Tor for C2 communication, propagating by leveraging compromised CI/CD OIDC tokens to publish backdoored updates.",
  "date": "2026-06-03",
  "severity": "critical",
  "tags": [
    "npm",
    "ebpf",
    "supply-chain",
    "credential-theft",
    "rust"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "ironworm-npm-ebpf-stealer-worm",
    "since": "2026-06-03T00:00:00Z",
    "until": "2026-06-03T23:59:59Z",
    "ecosystem": "npm",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "ai3@0.3.5",
      "aonote@0.11.1",
      "arjson@0.1.4",
      "arnext@0.1.5",
      "arnext-arkb@0.0.2",
      "atomic-notes@0.5.3",
      "create-arnext-app@0.0.10",
      "cwao@0.5.6",
      "cwao-tools@0.3.1",
      "cwao-units@0.8.3",
      "fpjson-lang@0.1.7",
      "hbsig@0.3.2",
      "monade@0.0.7",
      "roidjs@0.1.7",
      "test-ajs@0.1.19",
      "test-weavedb-sdk@1.1.1",
      "testnpmnmp@1.0.21",
      "wao@0.41.2",
      "warp-contracts-plugin-deploy-test@3.0.1",
      "wdb-cli@0.1.1",
      "wdb-core@0.1.2",
      "wdb-sdk@0.1.2",
      "weavedb-base@0.45.3",
      "weavedb-client@0.45.3",
      "weavedb-console@0.2.1",
      "weavedb-contracts@0.45.2",
      "weavedb-exm-sdk@0.7.4",
      "weavedb-exm-sdk-web@0.7.4"
    ],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [
      "preinstall hook launching custom Rust binary",
      "unusual loading of eBPF programs"
    ],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}