SlowMist|6月 04, 2026 06:49
🚨 SlowMist TI Alert 🚨
A new Rust-based supply-chain malware campaign, IronWorm, actively targeting developer environments and Web3/crypto ecosystems via malicious npm packages.
Potential attacker actions include credential theft, wallet seed and password theft, GitHub repository tampering, malicious package publishing, CI/CD secret exfiltration, Tor-based command-and-control, and stealth via an eBPF rootkit.
Security teams should audit repositories for backdated commits, suspicious branches, unexpected build hooks, and commits attributed to automation-like identities such as claude, dependabot, renovate, or github-actions. Remove or deprecate affected package versions, publish clean releases, rotate all exposed secrets and tokens, review GitHub Actions artifacts, and rebuild potentially compromised developer or CI systems from clean images.
Thanks to @JFrogSecurity for the discovery and excellent analysis.
As always, stay vigilant!
https://enterprise.misteye.io/threat-intelligence/SM-2026-981068(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink