INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Rust Vulnerability Exploit Hits NPM Supply Chain
| 2026-06-04 21:47 MEDIUM LOWExecutive Summary AI-generated
The IronWorm campaign, a newly discovered malware threat targeting the open source software ecosystem, has emerged as a significant concern. This campaign, dubbed "IronWorm," exploits vulnerabilities in developers' workflows and packages to spread further across the supply chain. By leveraging stolen code, weaponized commits, and counterfeit Python package sources, attackers have hijacked GitHub accounts and affected at least 36 unique npm packages with more than 32,000 combined monthly downloads. The malware's architectural similarities with last year's Shai-Hulud worm also raise concerns about its potential impact on the global cybersecurity landscape.
Technical Mitigations AI-generated
• Use secure and up-to-date software development tools, such as version control systems (e.g., Git) with robust security features.
• Implement code reviews and testing mechanisms to detect vulnerabilities early on in the development process.
• Regularly update dependencies and libraries using trusted package managers like npm or YUM.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign
JFrogCampaign
JFrog
Shai-HuludShai-Hulud
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
LATAM
LATAM
APAC
APAC
financefinance
Incident Timeline
2025/06/04
Shai-Hulud's worm exploited vulnerabilities in npm to infect systems.
Click on any entity below to view its context and source!
malware
Shai-Hulud
IronWorm’s payload shares architectural similarities with last year's
Shai-Hulud
worm and features a unique combination of mechanisms for credential theft, persistence, and covert Tor-based command-and-control communications (C2), JFrog said.
organisation
IronWorm
IronWorm’s payload shares architectural similarities with last year's
Shai-Hulud
worm and features a unique combination of mechanisms for credential theft, persistence, and covert Tor-based command-and-control communications (C2), JFrog said.
organisation
Tor
IronWorm’s payload shares architectural similarities with last year's
Shai-Hulud
worm and features a unique combination of mechanisms for credential theft, persistence, and covert Tor-based command-and-control communications (C2), JFrog said.
2026/06/04
The threat actors used Rust-written IronWorm to target npm supply chains.
Click on any entity below to view its context and source!
organisation
Silent Ransom Group Hits
Related:
Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
"The closest comparison is the Shai-Hulud campaign," JFrog said.
organisation
the Arweave/WeaveDB
Similar to the Shai-Hulud Campaign
JFrog identified
the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
organisation
Cyber & Politics
Cyber & Politics Ramp Up Across Latin America
"The closest comparison is the Shai-Hulud campaign," JFrog said.
organisation
Iran Signed a Ceasefire
Related:
Iran Signed a Ceasefire — Its Hackers Didn't
infrastructure
Linux
Related:
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
Related:
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
organisation
Berkeley Packet Filter
Related:
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
Related:
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
organisation
Pakistan Spies on Afghan Finance Ministry
Related:
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
organisation
JFrog
The campaign, which JFrog has dubbed "IronWorm," targets developers through compromised
npm
publishing workflows and malicious package updates.
organisation
API
The malware, written in Rust, harvests a wide range of developer secrets, including API keys, cloud credentials, SSH keys, and npm publishing tokens, and reuses them to spread further across the software supply chain.
organisation
SSH
The malware, written in Rust, harvests a wide range of developer secrets, including API keys, cloud credentials, SSH keys, and npm publishing tokens, and reuses them to spread further across the software supply chain.
organisation
CI
Driving the interest is the fact that developers often hold privileged access to source code repositories, package registries, cloud environments, CI/CD pipelines, and signing keys.
infrastructure
32,000 combined monthly downloads
Researchers at
OX Security
also tracking the campaign described it as having affected at least 36 unique npm packages with more 32,000 combined monthly downloads.
organisation
Global Stock Exchange Hit
Related:
Global Stock Exchange Hit by Monthslong Email Campaign
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Related:
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
Related:
Pakistan Spies on Afghan Finance Ministry With Xeno RAT
The security vendor's analysis showed IronWorm uses a rootkit that abuses the Linux kernel's extended Berkeley Packet Filter(
eBPF
) to hide malicious processes, files, network activity, and other behavior from security systems.
Metrics
infrastructure
32,000
Combined Monthly Downloads
Researchers at
OX Security
also tracking the campaign described it as having affected at least 36 unique npm packages with more 32,000 combined monthly downloads.
Intelligence Sources
Dark Reading
2026-06-04
Rust-Written IronWorm Hits NPM Supply Chain
Dark Reading
Dark Reading
2026-06-04
Rust-Written IronWorm Hits NPM Supply Chain
Dark Reading
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:20
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
Silent Ransom Group Hits
entity
4x
target region
Target Country
United States
country
2x
timeline
Temporal Reference
2025/06/04
date
2x
target region
Target Region
APAC
region
2x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
Contextual Telemetry
Context Block
9 METRICS
tactic
Cyber Operation Type
Extortion
tactic
malware
Malware Payload
Shai-Hulud
tool
campaign
Campaign
Campaign
JFrog
operation
infrastructure
Affected Product
Linux
software
general metric
Unique Npm Packages
36
unique npm packages
infrastructure
Combined Monthly Downloads
32,000
combined monthly downloads
general metric
Malicious Code Changes
57
malicious code changes
general metric
Github Repositories
5,500
github repositories
industry
Targeted Sector
Finance
sector
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.