RST Cloud

RST Cloud

Users
Tweets

RST Cloud

@rst_cloud

Jun 8

#threatreport #LowCompleteness IronWorm: Shai-Hulud's rustier cousin | 03-06-2026 Source: research.jfrog.com/post/iron… Key details below ↓ 💀Threats: Ironworm, Shai-hulud, Supply_chain_technique, Credential_harvesting_technique, 🎯Victims: Software developers, Crypto and web3 developers, Github repositories, Npm packages 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1027, T1027.002, T1036, T1056, T1059.004, T1071.001, T1078, T1083, T1090.003, ... 🧨IOCs: - File: 1 - Email: 5 💽Software: Linux, claude, Arweave, dependabot, Kubernetes, Anthropic, OpenAI, Mistral, Groq, Electron, ... 📲Wallets: exodus_wallet 🗂️Win API: lockfile 📜Programming Languages: javascript, rust, c_language #threatreport: IronWorm is a newly identified infostealer malware built with Rust, discovered through a malicious npm package that uses a supply-chain attack targeting software developers—particularly those within the crypto and web3 domains. This malware operates by scraping sensitive information from developers’ machines, leveraging a kernel rootkit based on eBPF technology for stealth, and communicating with its operators over Tor. The malware deploys itself through infected GitHub repositories by committing stolen credentials as part of its propagation mechanism. It stealthily inserts its payload into projects by mimicking legitimate activity, often attaching its malicious commits to existing legitimate commit timestamps, thereby blending in seamlessly. The IronWorm variant identified includes a UPX-packed ELF binary disguised to evade detection, utilizing a modified UPX stub to conceal its true nature. Once unpacked, the binary reveals complex logic and asynchronous features characteristic of Rust, making reverse engineering challenging. IronWorm’s functionality includes the extensive exfiltration of credentials, targeting 86 types of environment variables related to cloud platforms, databases, and development tools. It specifically includes techniques for capturing sensitive information from cryptocurrency wallets by injecting JavaScript hooks into applications like Exodus, allowing it to collect wallet passwords and recovery phrases without arousing suspicion. In terms of capabilities, IronWorm can modify existing GitHub Actions workflows to steal secrets without adding new files, allowing it to exfiltrate sensitive information in a manner that appears legitimate. This approach utilizes trusted identities to obscure its malicious intent. The malware is designed to automate the republishing of packages under the compromised npm account using npm's Trusted Publishing feature, which avoids the need for retained credentials. IronWorm employs advanced hiding techniques through its eBPF-based kernel rootkit, which enables it to conceal running processes and network connections from system monitoring tools, while simultaneously implementing anti-debugging measures to complicate analysis and detection. However, the rootkit's effectiveness may be reduced on hardened systems where certain kernel restrictions are in place. Communication with its command and control is achieved by establishing a Tor connection, which allows IronWorm to send collected data back to its operators and receive commands. The malware's design and operation appear highly specialized, diverging from mainstream infostealers, indicating a custom-built infrastructure aimed at long-term stealth and impact. This sophisticated malware underscores the importance of auditing and securing development environments, specifically reviewing repository commit histories for irregularities and ensuring proper actions are taken against compromised accounts and their associated packages. The presence of weaknesses, such as unstripped BPF debug data, suggests this may not be the final iteration of IronWorm, but rather an evolving threat requiring ongoing vigilance from defenders.