IronWorm Supply Chain Malware Hits npm

Is it a bird? Is it a plane? No, it’s ANOTHER supply chain attack.

Breaking News: A new supply chain attack has hit the npm ecosystem, infecting 36 unique packages. Instead of utilizing traditional obfuscated JavaScript code, this malware hides inside binary executable files triggered by a postinstall script. Fortunately, despite the affected packages garnering a combined total of 32,177 monthly downloads, the threat was mitigated before the infection could spread to more popular packages.

Overview

IronWorm is a self-replicating, Rust-built malware campaign targeting software developers via malicious NPM packages.
The malware targets environment variables, cloud credentials, and crypto wallets.
It self replicates by stealing credentials and uploading GitHub commits that automatically publish new malicious packages.
Kudos to JFrog for detecting and reporting this campaign.

Who is affected

Anyone installing the affected versions of the malicious packages (see below)

Impact

  • 36 packages were infected

  • 32,177 total monthly downloads

  • 148,724 total lifetime downloads

Recommended Actions

  1. Rotate your keys and add 2FA to your accounts

  2. Upgrade the affected packages to a fixed version

Affected Packages

Package name (npm)

Affected versions

ai3

0.3.5

aonote

0.11.1

arjson

0.1.4

arnext

0.1.5

arnext-arkb

0.0.2

atomic-notes

0.5.3

create-arnext-app

0.0.10

cwao

0.5.6

cwao-tools

0.3.1

cwao-units

0.8.3

fpjson-lang

0.1.7

hbsig

0.3.2

monade

0.0.7

roidjs

0.1.7

test-ajs

0.1.19

test-weavedb-sdk

1.1.1

testnpmnmp

1.0.21

wao

0.41.2

warp-contracts-plugin-deploy-test

3.0.1

wdb-cli

0.1.1

wdb-core

0.1.2

wdb-sdk

0.1.2

weavedb-base

0.45.3

weavedb-client

0.45.3

weavedb-console

0.2.1

weavedb-contracts

0.45.2

weavedb-exm-sdk

0.7.4

weavedb-exm-sdk-web

0.7.4

weavedb-node-client

0.45.3

weavedb-offchain

0.45.4

weavedb-sdk

0.45.3

weavedb-sdk-base

0.21.1

weavedb-sdk-node

0.45.3

weavedb-tools

0.45.3

weavedb-warp-contracts-plugin-deploy

1.0.11

zkjson

0.8.5

The post IronWorm Supply Chain Malware Hits npm appeared first on OX Security.

readers loved this
@oxsecurity