Cybersecurity researchers have uncovered a new malware campaign aimed at the cryptocurrency development ecosystem, raising concerns about the security of software supply chains used by developers. The malware, known as IronWorm, has been identified as a sophisticated Rust-based infostealer capable of bypassing traditional code review and security auditing processes.
According to findings shared by security firms SlowMist and JFrog Security Research, IronWorm is designed to collect highly sensitive information from infected systems. The malware reportedly targets cryptocurrency wallet credentials, cloud service access keys, GitHub authentication tokens, and various development-related login credentials. Researchers indicated that the threat is particularly dangerous because it spreads through trusted software distribution channels, allowing a single compromised package to affect numerous projects and developers.
Researchers reported that IronWorm not only steals credentials but can also modify software repositories and republish compromised packages, enabling the malware to spread autonomously across development ecosystems.
This self-propagating behavior creates a cycle in which compromised developer accounts are used to distribute additional malicious packages. As a result, the malware can expand its reach across open-source projects and Web3 applications without requiring direct interaction from attackers.
Malicious npm Packages Used as Delivery Method
JFrog’s investigation revealed that the malware was distributed through npm packages associated with an account identified as asteroiddao. Researchers explained that attackers uploaded packages that appeared legitimate while secretly embedding Linux-based malware within installation files.
The infection process was triggered automatically through npm preinstall scripts. This mechanism meant that developers could unknowingly compromise their systems simply by installing what appeared to be a normal software package. One package that attracted attention during the investigation was [email protected], which reportedly displayed suspicious behavior during execution.
Further analysis revealed multiple techniques intended to hinder detection and reverse engineering efforts. Investigators found encrypted strings, a customized version of the UPX packing tool, and complex Rust code structures designed to conceal the malware’s functionality. After unpacking the code, researchers discovered modules connected to GitHub APIs, credential harvesting activities, and mechanisms that supported self-replication.
Credential Theft and Stealth Features Raise Concerns
Researchers stated that IronWorm aggressively targets credentials across a broad range of development environments. The malware reportedly seeks access to cloud platforms such as AWS, container technologies including Kubernetes and Docker, artificial intelligence development environments, and cryptocurrency wallets.
🚨 SlowMist TI Alert 🚨
A new Rust-based supply-chain malware campaign, IronWorm, actively targeting developer environments and Web3/crypto ecosystems via malicious npm packages.
Potential attacker actions include credential theft, wallet seed and password theft, GitHub… pic.twitter.com/3ZgDHmrIuw
— SlowMist (@SlowMist_Team) June 4, 2026
Investigators found that the malware specifically targets Exodus wallet users by attempting to capture passwords and recovery phrases as they are entered.
JFrog also discovered 57 fraudulent commits distributed across nine organizations. These changes were disguised as routine maintenance updates and attributed to trusted automated identities such as claude, dependabot, and github-actions. This tactic reportedly helped malicious activity blend in with legitimate software development processes.
To maintain persistence and avoid detection, IronWorm deploys an eBPF rootkit capable of hiding active processes and network communications. Researchers further noted that the malware uses Tor-based infrastructure for command-and-control communications and data exfiltration, making its network traffic significantly harder to trace.
Despite its advanced capabilities, investigators identified operational mistakes by the attackers. Debugging information was reportedly left within the malware, and one hardcoded wallet recovery phrase was exposed, potentially revealing information about the campaign operators.
Growing Trend of Supply-Chain Attacks
The discovery of IronWorm highlights the growing threat of supply-chain attacks, where malicious actors compromise trusted software packages to infiltrate cryptocurrency, AI, cybersecurity, and open-source development environments.
The campaign follows several similar incidents reported throughout the year. In May, researchers identified the TrapDoor campaign, which leveraged malicious packages across npm, PyPI, and Crates.io to target developers working in cryptocurrency, decentralized finance, artificial intelligence, and cybersecurity sectors.
More recently, SlowMist warned about another malware strain known as Mini Shai-Hulud, which reportedly infected more than 170 JavaScript packages. Security experts noted that the malware spread through widely used open-source libraries, increasing potential exposure across the software ecosystem. Earlier this year, attackers also compromised Axios package releases after obtaining access to publishing credentials, further underscoring the risks facing software supply chains.
