Like Shai-Hulud, the campaign targets developers to steal credentials and reuses them to propagate across the software supply channel.
June 4, 2026
A newly discovered malware campaign targeting the open source software ecosystem underscores how rapidly supply chain threats are evolving.
The campaign, which JFrog has dubbed "IronWorm," targets developers through compromised npm publishing workflows and malicious package updates. The malware, written in Rust, harvests a wide range of developer secrets, including API keys, cloud credentials, SSH keys, and npm publishing tokens, and reuses them to spread further across the software supply chain.
JFrog identified the activity while investigating suspicious behavior linked to a developer account within the Arweave/WeaveDB open source ecosystem.
