IronWorm: Rust-built npm worm ships an eBPF kernel rootkit, Tor C2 and a cloud/AI-credential sweep
From CTI Daily Brief — 2026-06-06 · published 2026-06-06 · view item permalink →
JFrog Security Research disclosed IronWorm, a self-propagating npm supply-chain worm distributed across roughly 36 packages from a compromised publisher account (JFrog, 2026-06-03; BleepingComputer, 2026-06-04). Unlike the JavaScript-stager Shai-Hulud lineage, IronWorm executes a Rust ELF payload through an install-time preinstall hook and carries an embedded eBPF object (T1195.002 Compromise Software Supply Chain, T1059.004 Unix Shell via lifecycle script). JFrog reports the eBPF component provides kernel-level process, socket and anti-debug concealment — hiding the implant from procfs-based enumeration and many EDR agents — while the command channel runs over Tor: the malware downloads the Tor expert bundle, writes its own torrc, and beacons to a hidden service. The stealer sweeps dozens of environment variables and credential paths spanning AWS, GCP, Azure, HashiCorp Vault, Kubernetes, Docker, GitHub and npm tokens, and the 2026 generation of AI-provider API keys (Anthropic, OpenAI, Gemini and others). Self-propagation reuses stolen npm credentials — including npm Trusted Publishing secrets — to publish trojanised versions of the victim's own packages.
Why it matters to us: The eBPF rootkit moves npm-worm tradecraft below the userland telemetry most pipelines rely on, so process-tree hunting on the build host is no longer sufficient. Detection concepts: alert on node/npm/npx parent processes spawning sh/bash during preinstall/postinstall (Sysmon-for-Linux EID 1), audit bpf() syscalls from non-privileged processes via auditd, and watch CI/CD egress for Tor bootstrap traffic. Hardening: run npm install --ignore-scripts in CI, pin lockfile integrity, and scope/rotate npm publish tokens — Trusted Publishing credentials are now an explicit propagation target.