Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively.
According to JFrog, the information stealer “scrapes every secret it can find on a developer’s machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor.”
The stealer also uses the stolen credentials as a propagation mechanism, drawing similarities to the infamous Shai-Hulud worm. The new malware has been codenamed IronWorm by the software supply chain security company. By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack.
The malicious activity has been traced back to a compromised npm account named “asteroiddao,” which has been found to publish package versions containing the Rust ELF binary that’s executed via a preinstall hook.
The malware targets 86 environment variables, various files that may contain credentials associated with OpenAI Codex, Anthropic, Claude, Google Gemini, Cursor, Amazon Web Services (AWS), Docker, Kubernetes, and npm, vault configurations, and Exodus cryptocurrency wallet files.
An unusual quirk worth mentioning here is that the stealer includes logic for the wallet data-stealing component to skip the threat actor’s own wallet. As of writing, the cryptocurrency wallet is empty, and no transactions have been recorded.
JFrog described IronWorm as “a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub.” The malicious commits, which span nine GitHub organizations, have been introduced under the author name “claude” (“[email protected]”) in an attempt to mimic Anthropic’s artificial intelligence (AI) chatbot.
“The malicious npm package was published by asteroiddao; asteroiddao corresponds to the asteroid-dao GitHub organization; and ocrybit is a member of that organization, as well as related Arweave organizations,” the company explained.
“The malware stole ocrybit’s credentials and used them to push commits across repositories it could access. Those commits planted malware into other packages, which could then be published and infect the next developer. And then it vanished.”
What’s more, the malicious payload is equipped to swap existing GitHub Actions workflows for one that’s capable of harvesting the secrets, writing it to a harmless-looking file, and uploading it as a build artifact, thereby eliminating the need for an external command-and-control (C2) server.
The malware’s capabilities don’t end there. In CI environments, it abuses npm’s Trusted Publishing flow to obtain short-lived tokens to push poisoned versions containing the malware to the registry.
It also incorporates an eBPF payload that functions as a kernel-level rootkit to hide processes and thwart analysis. However, on…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
