Arweave Supply Chain Attack Stole Developer Credentials Across 36 npm Packages

Published by James Harris on

Arweave Supply Chain Attack Stole Developer Credentials Across 36 npm Packages — Exchange

What You Need to Know

  • Attackers compromised a maintainer account and pushed malicious updates to 36 npm packages with Rust-based infostealer malware.
  • IronWorm malware targeted SSH keys, AWS tokens, API credentials, and wallet files, then used stolen GitHub tokens to self-replicate.
  • Attacker used eBPF kernel rootkit, encrypted strings, and Tor communications to evade detection and hide malware presence.
  • Attacker hardcoded their own wallet recovery phrase into malware, an operational mistake that could enable identification and arrest.

Supply chain attackers compromised a maintainer account tied to the Arweave/WeaveDB ecosystem and pushed malicious updates to 36 npm packages, each carrying a Rust-based infostealer that activated the moment a developer ran npm install. The malware, named IronWorm by JFrog researchers, went after SSH keys, AWS tokens, OpenAI and Anthropic API credentials, and Exodus wallet files, then used stolen GitHub tokens to propagate itself into repositories the victim could write to.

The mechanics here are more sophisticated than the typical typosquatting attack. IronWorm encrypted its strings individually to resist static analysis, deployed an eBPF kernel rootkit to hide its presence, and routed operator communications through Tor. The self-replicating commit behavior, 57 backdated commits across nine GitHub organizations with forged timestamps, is the part that warrants attention: it means a single compromised developer could have seeded the malware into downstream packages before anyone noticed. The affected organizations included ArweaveOasis, WeaveDB, and asteroid-dao, which is the account JFrog identified as the initial point of compromise. A concurrent but separate attack using JavaScript-based malware called binding.gyp hit npm during the same window, suggesting either coordination or opportunistic timing by unrelated actors watching the same attack surface.

The attacker hardcoded their own wallet recovery phrase into the malware, apparently to prevent IronWorm from exfiltrating their own credentials during testing. That is the kind of operational mistake that gets people caught.

For the Arweave ecosystem specifically, the reputational exposure matters as much as the technical damage. Arweave positions itself as a decentralized permanent storage layer, and WeaveDB is a NoSQL database built on top of it, both targeting developers building with Web3 infrastructure. A supply chain compromise at the tooling layer is precisely the kind of incident that slows developer adoption, not because the underlying protocol failed, but because the surrounding build environment proved unsafe. The node-ipc compromise on May 14, achieved by re-registering an expired maintainer email domain and resetting the npm password, shows this is not an isolated campaign against crypto-adjacent projects but a pattern targeting the credential density that developer machines carry.

The malicious package versions were deprecated within a day and most backdated commits were removed shortly after discovery. Developers who installed affected WeaveDB packages should rotate all credentials immediately, audit lock files for unexpected version changes, and enable two-factor authentication on both npm and GitHub accounts.

Source: IronWorm malware plants rootkit in Arweave ecosystem npm libraries (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

North Korean Hackers Weaponize Crypto Dev Pipelines via Fake LinkedIn — Exchange
News

North Korean Hackers Weaponize Crypto Dev Pipelines via Fake LinkedIn

A North Korean-linked hacker group is using fake LinkedIn invitations to infect crypto developers with macOS malware, then weaponizing their CI/CD pipelines to automatically spread the infection across entire teams. The attack chain exploits stolen GitHub tokens to inject malware into source code repositories, turning development infrastructure into a distribution network.

Bitcoin ETF Outflows Hit 13 Days as Institutions Cut Exposure Near $61K — Bitcoin
News

Bitcoin ETF Outflows Hit 13 Days as Institutions Cut Exposure Near $61K

Spot Bitcoin ETFs have experienced 13 consecutive days of outflows totaling over $4 billion since mid-May, signaling institutional holders are reducing exposure rather than providing the stabilizing bid they were expected to offer. With Bitcoin testing its 200-week moving average near $61,300 and the Fear and Greed Index hitting 12, the market faces extreme conditions that historically precede capitulation, though past cycles suggest this may not signal an immediate bottom.

Japan's AI Bill Trades Medical Privacy for Compute Independence — Institutional
News

Japan’s AI Bill Trades Medical Privacy for Compute Independence

Japan's Digital Minister is pushing a bill to let AI developers train models on medical records and criminal histories without consent, arguing the country must act or become an "AI colony." The move reflects Japan's anxiety over massive funding gaps with the US and China, though critics warn loosening data protections creates serious breach risks.