A sophisticated supply chain attack campaign known as IronWorm has been discovered targeting software developers through poisoned npm packages. The campaign uses compromised packages to steal sensitive information while also spreading itself through developer workflows.
How the Attack Works
Attackers republished several npm packages from a compromised account, embedding a hidden Linux binary within each one. The malicious code is disguised inside a folder path that developers would rarely examine. When a developer runs npm install, the binary executes automatically without requiring any additional user interaction.
The malware is built with the Rust programming language and functions as an information stealer. It scrapes credentials, API keys, and cryptocurrency wallet recovery phrases from infected developer machines. The binary uses a modified UPX packing tool with standard signatures removed to evade detection, and decrypts its internal strings using unique keys at each location to complicate reverse engineering efforts.
Impact and Self Propagation Mechanism
IronWorm distinguishes itself through an aggressive self propagation technique. After stealing credentials, the malware uses them to push backdated commits into the victim’s GitHub repositories, planting malicious code into other packages. These infected packages then get published to npm, creating a chain that can compromise additional developers who install them.
Security researchers identified 57 backdated malicious commits spread across nine GitHub organizations. The attackers disguised their activity by copying timestamps from the repository’s last legitimate commit, making the malicious entries appear years old and reducing suspicion during code reviews. The malware communicates with its command and control infrastructure through the Tor network and hides behind a kernel level rootkit.
Source: Cyber Security News
