JFrog — IronWorm: Rust-Based npm Worm with eBPF Rootkit Targets AI/Dev Tooling

AI relevance: IronWorm specifically targets credential stores used by AI developer tools — including OpenAI Codex, Anthropic Claude, Google Gemini, and Cursor — making it a direct threat to the identity surfaces of anyone running AI coding agents or LLM proxy tooling.

What happened

• JFrog Security published a full teardown of IronWorm, a self-replicating npm supply-chain worm written in Rust, discovered on the compromised asteroiddao account.
• The malware targets 86 environment variables and credential files associated with OpenAI Codex, Anthropic Claude, Google Gemini, Cursor, AWS, Docker, Kubernetes, and npm.
• A 976 KB Linux ELF binary hid in the tools/ directory of legitimate-looking packages, executed via a preinstall script that runs before npm resolves dependencies.
• The binary is a Rust release build with an async runtime — packed with a modified UPX stub (magic value overwritten to defeat standard upx -d detection) and per-call-site string encryption.
• After stealing credentials, the worm propagates by pushing malicious commits across nine GitHub organizations, signing them as claude@users.noreply.github.com to mimic Anthropic's chatbot.
• In CI environments, it abuses npm's Trusted Publishing flow to obtain short-lived tokens for pushing poisoned versions back to the registry — closing the self-replication loop.
• An eBPF kernel rootkit hides processes and sockets from analysis; on systems with kernel lockdown enabled, the hiding fails but the harvester still executes.
• Malicious versions were deprecated within a day, and most commits silently removed — a sign of active cleanup by the operator.

Why it matters

• IronWorm is one of the most sophisticated supply-chain worms targeting AI developer credential surfaces — specifically hunting Codex, Claude, and Gemini auth tokens.
• The Rust + eBPF rootkit combination is unprecedented in npm malware, signaling well-resourced attackers.
• Self-propagation via stolen GitHub PATs and npm Trusted Publishing means a single infected developer can poison an entire organization's dependency chain.
• The claude@users.noreply.github.com signing demonstrates deliberate deception aimed at AI-security incident responders.
• IronWorm and Miasma are distinct but coordinated campaigns hitting the npm ecosystem simultaneously — suggesting a shared threat actor or at least shared tooling.

What to do

• Audit all npm packages installed from the asteroiddao account, particularly weavedb-sdk versions published in the attack window.
• Rotate all AI platform credentials (Codex, Anthropic, Gemini, Cursor) if you have installed packages from compromised accounts.
• Block preinstall and postinstall scripts via --ignore-scripts or npm config until you've audited the package.
• Check for eBPF rootkit indicators — unusual kernel module loads or hidden processes on developer machines.
• Review GitHub commit history for unsigned commits authored as claude@users.noreply.github.com across your organization's repos.
• Monitor npm Trusted Publishing events for unexpected package publications from your CI pipelines.

Sources

• JFrog — IronWorm: Shai-Hulud's Rustier Cousin
• The Hacker News — IronWorm and New Miasma Worm Variant Hit npm
• StepSecurity — Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
• SafeDep — Miasma Worm Targets AI Coding Agents via GitHub Repos