Back

IronWorm Malware Targets Web3 Developers via Malicious npm Packages

Severity: High (Score: 72.5)

Sources: Kucoin, Weex

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: ironworm, slowmist, malware, web3, supply, chain, targeting

Severity indicators: supply chain, malware, worm

Summary

SlowMist has identified a new Rust-based supply chain malware named IronWorm, which is actively attacking developer environments in the Web3 ecosystem through malicious npm packages. The malware exhibits various attack behaviors, including credential theft, wallet mnemonic and password harvesting, GitHub repository tampering, and CI/CD secret leakage. It employs Tor for command-and-control operations and utilizes eBPF rootkits for stealth. Security teams are advised to audit their repositories for suspicious activities and remove or deprecate affected package versions. They should also rotate any exposed keys and tokens and rebuild potentially compromised systems from clean images. This threat poses a significant risk to developers and organizations involved in the Web3 space. The situation is ongoing, with recommendations for immediate action to mitigate risks. Key Points: • IronWorm is a new Rust-based supply chain malware targeting Web3 developers. • The malware can steal credentials, tamper with GitHub repositories, and leak CI/CD secrets. • Security teams are urged to audit repositories and take immediate remediation steps.

Detailed Analysis

**Impact** Web3 developers and the broader Web3/crypto ecosystem are targeted by IronWorm through malicious npm packages. The attack risks credential theft, wallet mnemonic and password compromise, GitHub repository tampering, and leakage of CI/CD secrets. This can lead to unauthorized access, code integrity issues, and operational disruption in development environments globally. No specific numbers or geographic details were provided. **Technical Details** IronWorm is a Rust-based supply chain malware delivered via malicious npm packages. Attack techniques include credential and wallet mnemonic theft, GitHub repository tampering, malicious package publishing, CI/CD secret leakage, Tor-based command-and-control communication, and persistence through eBPF rootkits. Indicators of compromise include suspicious commits from automated identities such as claude, dependabot, renovate, or github-actions, backtracked commits, suspicious branches, and unexpected build hooks. No CVEs or specific infrastructure details were disclosed. **Recommended Response** Security teams should urgently audit repositories for retroactive commits, suspicious branches, unexpected build hooks, and commits from automated identities. Affected package versions must be removed or deprecated, and clean versions published. All leaked keys and tokens should be rotated, GitHub Actions artifacts reviewed, and potentially compromised developer or CI systems rebuilt from clean images. Monitoring for Tor-based command-and-control activity and eBPF rootkit presence is advised.

Source articles (3)

  • SlowMist Discovers IronWorm, a Rust supply chain malware targeting Web3 developers — Kucoin · 2026-06-04
    Odaily Planet Daily reports that SlowMist posted on X that its threat intelligence system has detected a new Rust-based supply chain malware campaign named IronWorm, which is actively targeting develo…
  • Slow Fog: The new Rust supply chain malicious activity IronWorm is attacking the Web3 ... — Weex · 2026-06-04
    According to SlowMist monitoring, a new type of Rust supply chain malware activity named IronWorm is attacking developer environments and the Web3 ecosystem through malicious npm packages. Potential a…
  • SlowMist Discovers IronWorm Malware Targeting the Web3 Ecosystem via npm Packages — Kucoin · 2026-06-04
    SlowMist monitoring has detected a new Rust supply chain malware, IronWorm, targeting developer environments and the Web3 ecosystem through malicious npm packages. Attack activities include credential…

Timeline

  • 2026-06-04 — IronWorm malware detected: SlowMist reported the discovery of IronWorm, targeting developer environments through malicious npm packages.
  • 2026-06-04 — Security recommendations issued: SlowMist advised security teams to audit repositories and take steps to mitigate the IronWorm threat.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • WEEX WXT Eco Carnival (Campaign)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • IronWorm (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1014 - Rootkit (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • GitHub (Platform)
  • Tor (Platform)
  • GitHub Actions (Tool)
  • Npm (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed