New IronWorm Malware Hits 36 Packages In npm Supply-Chain Attack

New IronWorm Malware Hits 36 Packages In npm Supply-Chain Attack (bleepingcomputer.com) 10 A new npm supply-chain attack has infected 36 packages with Rust-based infostealer malware called IronWorm. According to BleepingComputer, the malware "targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files." From the report: According to researchers at supply-chain and devops company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network. The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow. Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems. This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure." [...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame. This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure." [...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame. Including remote code, rise and repeat! (Score:2) too bad you linked that garbage (Score:2) The link we wanted was actually in that story, which is worthless by comparison https://www.ox.security/blog/i... [www.ox.security] Remotely downloaded code (Score:3) What, exactly, is the point or purpose of including code in your program that is downloaded from a third-party website every time you execute the program? If you want to include a function or subroutine or library in your program, why wouldn't you just download it and use that? "Lets drag in random code every time we run the program" is a huge security hole on its own and I genuinely don't understand why anyone would do that, or would even consider it as a worthwhile idea. Re: (Score:1) So, IDE platforms are pretty much the original targets for these supply chain attacks, or enterprise level networks... The framework supply chains , are they just unreported? Re: (Score:2) What would happen to modern devs if they lost all connectivity and their reference was just paper manuals? I bet... (Score:2) everyone couldn't see this coming once AI/LLM-AI became a thing! Now, you don't have to spend the month reading through code to find the 'oops' that someone goofed on... you can pay some amount to have an AI thingy do that 100x faster than a human and the thingy can find everything and (maybe) it'll let you know about all of them (50/50 chance of if the bugs it finds are only for your eyes, or if it hallucinates and sends the bugs to some hacking group). Re: (Score:1) These directory key pair attacks are old but, surprisingly effective. Who hasn't been pushed a bad .tar file on sourceforge way back when.....? Re: (Score:2) Those of us who don't depend on .tarballs, haven't been pushed a bad .tar file. I'm Win10 LTSC on all my machines (and, MacOSX High Sierra on the Mac Mini a friend gave me).