Buy Crypto
Pay with
USD
USD
Buy & Sell
Hot
Supports Visa, Mastercard, SEPA & more
P2P
0 Fees
Flexible trading, zero fees
Gate Card
Use your crypto for payments worldwide
Markets
Trade
Basic
Advanced
Futures
Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
U.S. Stocks
CFD
U.S. stock CFD derivatives
Futures
High leverage, 24/7 trading
Tokenized Stocks
Backed by real stock assets
GUSD
Mint GUSD for Treasury RWA yields
Earn
Launch
CandyDrop
tag
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Investment
Square
Square
Post, share, and explore crypto trends
Live
moments live
Live crypto market analysis
Chat
Chat with crypto traders
News
What is happening in crypto
flower_head
More
Promotions
AI
Others
TradFi
Rewards

IronWorm Malware Targets Crypto Developers Through npm Supply Chains

EthanBrooks
Security Incidents

Cybersecurity researchers have uncovered a new malware campaign targeting cryptocurrency developers through software supply chains. The malware, known as IronWorm, is a Rust-based infostealer designed to collect wallet credentials, cloud service keys, and GitHub authentication tokens. Security firms SlowMist and JFrog Security Research shared findings on June 4, 2026, revealing that IronWorm spreads through trusted software distribution channels, allowing a single compromised package to affect multiple projects. The malware bypasses traditional code review processes by embedding itself in legitimate-looking npm packages. This discovery highlights the growing threat of supply chain attacks targeting cryptocurrency, AI, and open-source development environments.

IronWorm Distributed Through Malicious npm Packages

JFrog's investigation revealed that IronWorm was distributed through npm packages associated with an account identified as asteroiddao. Attackers uploaded packages that appeared legitimate while secretly embedding Linux-based malware within installation files. The infection process was triggered automatically through npm preinstall scripts, meaning developers could unknowingly compromise their systems by installing what appeared to be a normal software package.

One package that attracted attention during the investigation was [email protected], which displayed suspicious behavior during execution. Analysis revealed multiple techniques intended to hinder detection and reverse engineering efforts, including encrypted strings, a customized version of the UPX packing tool, and complex Rust code structures designed to conceal the malware's functionality. After unpacking the code, researchers discovered modules connected to GitHub APIs, credential harvesting activities, and mechanisms that supported self-replication.

Researchers reported that IronWorm not only steals credentials but can also modify software repositories and republish compromised packages. This self-propagating behavior creates a cycle in which compromised developer accounts are used to distribute additional malicious packages, allowing the malware to expand its reach across open-source projects and Web3 applications without requiring direct interaction from attackers.

IronWorm Targets Developer Credentials and Uses Stealth Techniques

Researchers stated that IronWorm targets credentials across a broad range of development environments. The malware seeks access to cloud platforms such as AWS, container technologies including Kubernetes and Docker, artificial intelligence development environments, and cryptocurrency wallets. Investigators found that the malware specifically targets Exodus wallet users by attempting to capture passwords and recovery phrases as they are entered.

JFrog discovered 57 fraudulent commits distributed across nine organizations. These changes were disguised as routine maintenance updates and attributed to trusted automated identities such as claude, dependabot, and github-actions. This tactic helped malicious activity blend in with legitimate software development processes.

To maintain persistence and avoid detection, IronWorm deploys an eBPF rootkit capable of hiding active processes and network communications. Researchers noted that the malware uses Tor-based infrastructure for command-and-control communications and data exfiltration, making its network traffic significantly harder to trace. Despite its advanced capabilities, investigators identified operational mistakes by the attackers, including debugging information left within the malware and one hardcoded wallet recovery phrase that was exposed.

Supply Chain Attacks Target Cryptocurrency Development Ecosystems

The discovery of IronWorm follows several similar incidents reported throughout the year. In May, researchers identified the TrapDoor campaign, which leveraged malicious packages across npm, PyPI, and Crates.io to target developers working in cryptocurrency, decentralized finance, artificial intelligence, and cybersecurity sectors.

SlowMist warned about another malware strain known as Mini Shai-Hulud, which infected more than 170 JavaScript packages. Security experts noted that the malware spread through widely used open-source libraries, increasing potential exposure across the software ecosystem. Earlier this year, attackers compromised Axios package releases after obtaining access to publishing credentials.

FAQ

What is IronWorm malware?

IronWorm is a Rust-based infostealer that targets cryptocurrency developers through software supply chains. Security firms SlowMist and JFrog Security Research reported on June 4, 2026, that the malware collects wallet credentials, cloud service keys, and GitHub authentication tokens by spreading through npm packages.

How does IronWorm spread across development environments?

IronWorm spreads through malicious npm packages uploaded by an account identified as asteroiddao. The malware uses npm preinstall scripts to trigger automatic infections and can modify software repositories to republish compromised packages, creating a self-propagating cycle across open-source projects.

What techniques does IronWorm use to avoid detection?

IronWorm uses encrypted strings, a customized UPX packing tool, and complex Rust code structures to hinder reverse engineering. The malware deploys an eBPF rootkit to hide processes and network communications, and uses Tor-based infrastructure for command-and-control operations.

View Source
Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.

Related News

06-04 06:51
IronWorm Rust Supply Chain Malware Targets Web3 Developers via Malicious npm Packages on June 4
06-03 18:01
Law Enforcement Warns of World Cup Crypto Scams Targeting Soccer Fans
Related Articles

Boost Your Portfolio with These 3 Promising Altcoins

Crypto News Land23h ago

Crypto scams are active ahead of the 2026 World Cup, as the FBI reveals domain hijacking and AI phishing tactics

Market Whisper06-04 05:07

Law Enforcement Warns Soccer Fans of World Cup Cryptocurrency Scams

Ethan Brooks06-03 18:03

Defend Developers PAC Launches to Protect Crypto Software Builders

Ethan Brooks06-03 14:51
Comment
0/400
No comments