{"id":4249,"date":"2026-06-05T15:13:51","date_gmt":"2026-06-05T15:13:51","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/05\/ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level\/"},"modified":"2026-06-05T15:13:51","modified_gmt":"2026-06-05T15:13:51","slug":"ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/05\/ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level\/","title":{"rendered":"IronWorm Malware Shares Shai-Hulud Traits, Takes Threat to \u2018Next Level\u2019"},"content":{"rendered":"<div><img data-opt-id=1073082217  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/06\/ironworm_supply_chain_malware_770x330.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1039472735  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/06\/ironworm_supply_chain_malware_770x330-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many of the attributes of the notorious <a href=\"https:\/\/devops.com\/widespread-mini-shai-hulud-campaign-is-a-matter-of-trust\/\" target=\"_blank\" rel=\"noopener\">Shai-Hulud self-propagating worm<\/a> but comes with functions that make it more difficult for defenders to detect and to reverse engineer.<\/p>\n<p><a href=\"https:\/\/research.jfrog.com\/post\/iron-worm-shai-hulud-rustier-cousin\/\" target=\"_blank\" rel=\"noopener\">Dubbed \u201cIronWorm,\u201d<\/a> the infostealer is built in the Rust programming language and targets developers \u2013 both software as well as cryptocurrency and Web3 \u2013 through malicious npm packages, according to researchers with JFrog Security. It self-replicates across the software supply chain by stealing credentials and uploading GitHub commits, and then automatically publishing new packages to the npm registry.<\/p>\n<p>\u201cThe fact that every npm package belonging to the compromised account was republished with a malicious version strongly suggested that the malware had an automated way to publish packages on behalf of its victims,\u201d the researchers wrote in a report. \u201cThe code confirmed it.\u201d<\/p>\n<p>It steals a broad range of developer secrets, including cloud credentials, npm publishing tokens, and API and SSH keys. It looks for them in just about every major platform that developers use, from cloud providers and object storage to databases, <a href=\"https:\/\/devops.com\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/\">CI\/CD systems<\/a>, Kubernetes, and messaging platforms. It also targets AI and machine learning API keys from players like OpenAI, Google Gemini, Anthropic, Mistral, and Groq.<\/p>\n<h3>Two Payloads<\/h3>\n<p>IronWorm uses a Tor-based command-and-control (C2) structure for communications and has two payloads for different repository structures, with each payload using a different identity to blend in.<\/p>\n<p>\u201cIf the repository shipped a package \u2013 npm, PyPI, Cargo, Conan, or vcpkg (C++) \u2013 the malware took a more direct route: it dropped a binary into the project and modified the build system to execute it,\u201d the researchers wrote, noting that this was what they saw in the wild. \u201cIf the repository already had GitHub Actions workflows, the malware had a second, nastier option: it did not add a new file, but replaced an existing one \u2013 swapping a real workflow for a secret-exfiltration job.\u201d<\/p>\n<p>They also pointed to the malware hiding behind an eBPF kernel rootkit, calling it a \u201cstandout feature\u201d of the threat.<\/p>\n<h3>eBPF Used for Good and Bad<\/h3>\n<p>\u201cOn modern Linux systems, eBPF gives code unusually deep visibility into system activity and, in the wrong hands, a place to hide,\u201d the researchers wrote. \u201cThe same technology used for observability and security tooling can also be abused to intercept events, manipulate what monitoring tools see, and conceal the malware\u2019s own operations from defenders.\u201d<\/p>\n<p>They uncovered IronWorm while reviewing npm packages published by a particular account that was tied to a GitHub organization. What piqued their interest was that every one of the account\u2019s packages had been republished inside a particular narrow window, with each new version shipping a native binary that ran from an install hook.<\/p>\n<p>\u201cThat was enough to make us look closer,\u201d they wrote, adding that the \u201cpackages were nearly identical.\u201d<\/p>\n<h3>Similar But Different<\/h3>\n<p>The threat group TeamPCP has used Shai-Hulud for several months in campaigns targeting developers and the software supply chain. Last month, the bad actors put the worm\u2019s source code into a GitHub repository, giving bad actors the ability to create their own variants, with multiple such clones \u2013 <a href=\"https:\/\/devops.com\/shai-hulud-clone-miasma-compromises-32-red-hat-npm-packages\/\" target=\"_blank\" rel=\"noopener\">like the Miasma malware<\/a> \u2013 being found in the wild, according to Datadog analysts.<\/p>\n<p>However, while they didn\u2019t say IronWorm was such a clone, the JFrog researchers noted some similarities to Shai-Hulud. That said, they wrote that what they were looking at was a \u201ccustom, carefully built implant from an operation with its own infrastructure and the patience to use it quietly.\u201d<\/p>\n<p>Like Shai-Hulud, it compromises developers, steals credentials, and uses trusted supply-chain workflows to spread. It also uses the same commit names as Shai-Hulud.<\/p>\n<p>\u201cBut it takes the same concept to the next level,\u201d they added. \u201cIt makes defenders\u2019 lives harder on several fronts at once: Rust code that is painful to reverse engineer, string [encryption with a unique key at every call site] obfuscation, a modified UPX packer, Tor-based C2, an eBPF rootkit.\u201d<\/p>\n<h3>A Work in Progress<\/h3>\n<p>They also saw that the malware\u2019s compiler left behind the source code, and added that they found 57 back-dated malicious commits across nine organizations and saw that the operator hardcoded their own crypto wallet\u2019s recovery phrase into the malware so it would steal from them.<\/p>\n<p>Researchers with Ox Security wrote that IronWorm <a href=\"https:\/\/www.ox.security\/blog\/ironworm-supply-chain-malware-hits-npm\/\" target=\"_blank\" rel=\"noopener\">infected 36 unique packages<\/a>, and that while those affected generated a combined 32,177 monthly downloads, IronWorm was mitigated before the infection spread too widely.<\/p>\n<p>Despite what they found, the JFrog researchers wrote that IronWorm \u201cstill looks like a work in progress. Some parts are carefully engineered, but others are surprisingly careless. The BPF object still contains debug metadata and recoverable source lines, and the operator even hardcoded a wallet recovery phrase into the malware\u2019s skip list. These mistakes gave us a rare look into how the implant works. In other words, this may not be the final form of the campaign, it may be the rehearsal.\u201d<\/p>\n<p><a href=\"https:\/\/devops.com\/ironworm-malware-shares-some-shai-hulud-traits-but-takes-it-to-next-level\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4250,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4249"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4249\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4250"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}