Tracked campaign · npm

IronWorm

Self-replicating npm worm written in Rust. Ships a compiled binary via preinstall. Steals 86 env vars + 20 credential files, beacons over Tor, hides behind an eBPF rootkit, propagates via npm Trusted Publishing.

11 packages attributednpm ecosystemexternal source

First seen 2025-06-05

Attribution basis

These are the signal classes linking the members of this campaign — the broad evidence categories we use to attribute a package, not the raw indicators themselves.

shared malware fingerprint

Sample attributed packages

lockfile-js@1.4.2
js-digest@4.2.2
@wdm-uk/ai-management@0.1.0
@autokaka/havi@0.1.4
@autokaka/havi@0.1.3
mox-cli@8.0.1
mox-cli@8.0.0
@transitive-sdk/utils-ros@0.12.2
@transitive-sdk/utils-ros@0.12.3

PkgRadar attributes coordinated supply-chain campaigns and blocks their packages at the CI gate. Start free or see all tracked campaigns.