IronWorm: Rust-Based npm Supply-Chain Attack Uses eBPF Rootkit and Tor to Steal AI and Cloud Credentials
IronWorm infects 36 npm packages with a Rust implant running under an eBPF kernel rootkit and Tor C2. It targets OpenAI, AWS, Anthropic, and npm credentials — then self-propagates via stolen Trusted Publishing tokens.
Rudra Verma, Senior Security Architect & Researcher