Skip to content
Security & Trust

IronWorm: The First npm Supply Chain Worm with a Kernel Rootkit. 37 Packages Compromised. It Steals Your Claude, OpenAI, and AWS Credentials. And This Was a Rehearsal.

JFrog researchers found a 976KB Rust-compiled worm hiding in 37 npm packages across 9 organizations. It carries an eBPF rootkit that hides from the OS, steals 86 categories of credentials including every major AI provider key, and self-propagates by minting npm Trusted Publishing tokens. A hardcoded skip-list suggests this was practice. The production version has not been found.

· 7 min read
Share on X LinkedIn
IronWorm: The First npm Supply Chain Worm with a Kernel Rootkit. 37 Packages Compromised. It Steals Your Claude, OpenAI, and AWS Credentials. And This Was a Rehearsal.

The Worm That Stole Everything — Including Your AI Keys

IronWorm, discovered June 4, 2026 by JFrog Security Research, is the most sophisticated npm supply chain attack ever documented. It compromised 37 packages across 9 organizations through 57 backdated commits. The payload is a 976KB Rust-compiled ELF binary with a custom-modified UPX stub (to evade decompression-based analysis), per-call-site string encryption, and — for the first time in a JavaScript supply chain attack — an embedded eBPF kernel-level rootkit that hides its processes and network sockets from the operating system itself.

The credential theft scope is exhaustive: 86 categories of environment variables spanning AWS, GCP, Azure, Kubernetes, Docker, GitHub, npm, PyPI, and — critically — every major AI provider. IronWorm specifically harvests API keys for Anthropic (Claude), OpenAI (GPT), Google (Gemini), Cohere, Mistral, Groq, Perplexity, and xAI. It sweeps 20+ credential file paths including ~/.claude/.credentials.json and browser keystores. It includes an Exodus cryptocurrency wallet hook that captures passwords and seed mnemonics at unlock.

37 across 9 organizations
Compromised packages
57 backdated commits. Source: JFrog Security Research, June 4, 2026.
86 — including all major AI providers
Credential categories stolen
Claude, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI. Source: JFrog.
eBPF kernel-level process hiding
Rootkit capability
First kernel rootkit in a JavaScript supply chain attack.
npm Trusted Publishing OIDC tokens
Propagation method
Self-mints tokens from CI runners — no stored credentials required.

Self-Propagation via npm's Trust Model

IronWorm's most alarming capability is its propagation method. It does not steal npm credentials to publish malicious packages — it mints legitimate npm Trusted Publishing OIDC tokens from compromised CI runners. npm's Trusted Publishing was designed to be more secure than stored credentials: instead of a static API token, the CI system proves its identity through OIDC federation. IronWorm weaponized this trust model. When it executes on a GitHub Actions runner or similar CI system, it uses the runner's identity to mint a legitimate publishing token and publishes new malicious packages or updates existing ones — all appearing as legitimate, identity-verified releases.

This attack fundamentally undermines npm's trust architecture. Trusted Publishing was the ecosystem's answer to credential theft. IronWorm demonstrates that the CI runner itself is the credential — and compromising the runner through a supply chain dependency gives the attacker publishing rights through the very mechanism designed to prevent unauthorized publishing. The defense becomes the attack surface.

This Was a Rehearsal

The most disturbing finding in JFrog's analysis: a hardcoded BIP-39 recovery phrase in the skip-list — a list of accounts or systems the worm is instructed not to attack. The presence of a skip-list with known cryptocurrency wallet recovery phrases suggests the operators were testing against their own infrastructure. JFrog's assessment: this deployment was 'a rehearsal, not the final form.'

The first half of 2026 has already produced 4.5x the malicious npm package volume of all of 2025. IronWorm is not the peak — it is the proof of concept. A worm that carries a kernel rootkit, steals AI credentials alongside cloud infrastructure keys, and propagates through the ecosystem's own trust mechanisms represents a new tier of supply chain capability. The 'production version' — without the skip-list, without the testing artifacts, with whatever additional capabilities the operators chose not to deploy in the rehearsal — has not been found.

The AI Credential Angle

IronWorm's explicit targeting of AI provider API keys marks a shift in supply chain attack objectives. Previously, supply chain attacks focused on cloud infrastructure credentials (AWS, GCP, Azure) and code hosting credentials (GitHub, GitLab). AI API keys were not targets because they were not valuable enough — they provided access to a chatbot, not to production infrastructure.

That changed in 2026. A stolen Claude API key gives access to Claude Code's capabilities — code generation, system analysis, and tool use. A stolen OpenAI key provides access to GPT-4's function calling and code interpreter. These keys now provide not just information access but action capability. An attacker with a stolen AI API key can use the AI to analyze stolen code, generate exploits, and automate further attacks — at the victim's expense. The AI credential is no longer a chatbot login. It is a force multiplier for the attacker's entire operation.

npm v12 Arrives Just in Time — Almost

npm v12, arriving July 2026, will disable install scripts by default — the mechanism IronWorm uses for initial execution. Had npm v12 been the current version, IronWorm's postinstall hook would not have executed automatically. But npm v12 is one month away, and IronWorm is here now. The 37 compromised packages are still in production dependency trees across the JavaScript ecosystem. The kernel rootkit is still hiding on systems where IronWorm executed before detection.

For web framework teams, the response hierarchy is: audit your npm dependency tree immediately (npm audit, Socket.dev), check CI runner logs for unexpected publishing events, rotate all AI provider API keys and cloud credentials on any system that ran an npm install in the last 60 days, and — when npm v12 ships — upgrade immediately. The window between IronWorm's discovery and npm v12's default change is the most dangerous period in JavaScript supply chain history.

Share this insight