Is it a bird? Is it a plane? No, it’s ANOTHER supply chain attack.
Breaking News: A new supply chain attack has hit the npm ecosystem, infecting 36 unique packages. Instead of utilizing traditional obfuscated JavaScript code, this malware hides inside binary executable files triggered by a postinstall script. Fortunately, despite the affected packages garnering a combined total of 32,177 monthly downloads, the threat was mitigated before the infection could spread to more popular packages.
Overview
IronWorm is a self-replicating, Rust-built malware campaign targeting software developers via malicious NPM packages.
The malware targets environment variables, cloud credentials, and crypto wallets.
It self replicates by stealing credentials and uploading GitHub commits that automatically publish new malicious packages.
Kudos to JFrog for detecting and reporting this campaign.
Who is affected
Anyone installing the affected versions of the malicious packages (see below)
Impact
- 36 packages were infected
- 32,177 total monthly downloads
- 148,724 total lifetime downloads
Recommended Actions
- Rotate your keys and add 2FA to your accounts
- Upgrade the affected packages to a fixed version
Affected Packages
| Package name (npm) | Affected versions |
| ai3 | 0.3.5 |
| aonote | 0.11.1 |
| arjson | 0.1.4 |
| arnext | 0.1.5 |
| arnext-arkb | 0.0.2 |
| atomic-notes | 0.5.3 |
| create-arnext-app | 0.0.10 |
| cwao | 0.5.6 |
| cwao-tools | 0.3.1 |
| cwao-units | 0.8.3 |
| fpjson-lang | 0.1.7 |
| hbsig | 0.3.2 |
| monade | 0.0.7 |
| roidjs | 0.1.7 |
| test-ajs | 0.1.19 |
| test-weavedb-sdk | 1.1.1 |
| testnpmnmp | 1.0.21 |
| wao | 0.41.2 |
| warp-contracts-plugin-deploy-test | 3.0.1 |
| wdb-cli | 0.1.1 |
| wdb-core | 0.1.2 |
| wdb-sdk | 0.1.2 |
| weavedb-base | 0.45.3 |
| weavedb-client | 0.45.3 |
| weavedb-console | 0.2.1 |
| weavedb-contracts | 0.45.2 |
| weavedb-exm-sdk | 0.7.4 |
| weavedb-exm-sdk-web | 0.7.4 |
| weavedb-node-client | 0.45.3 |
| weavedb-offchain | 0.45.4 |
| weavedb-sdk | 0.45.3 |
| weavedb-sdk-base | 0.21.1 |
| weavedb-sdk-node | 0.45.3 |
| weavedb-tools | 0.45.3 |
| weavedb-warp-contracts-plugin-deploy | 1.0.11 |
| zkjson | 0.8.5 |
