Malware Infects 36 npm Packages in Supply-Chain Attack
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — A sophisticated supply-chain attack has compromised 36 packages on the Node Package Manager (npm), distributing malware designed to steal credentials and cryptocurrency wallet files.
The attack, detected on June 4, 2026, utilized a compromised npm account registered under the name 'asteroiddao'. Security researchers identified the malicious code, dubbed IronWorm, embedded within the packages. The malware targets sensitive user data, specifically aiming to exfiltrate authentication tokens and private keys used for digital asset management.
The compromised packages were published through GitHub repositories associated with the 'asteroiddao' account. The commit author listed for the malicious updates was identified as 'claude'. The infection mechanism relied on the trust developers place in established libraries, allowing the malicious code to execute automatically when users installed or updated the affected packages.
IronWorm operates by scanning the local environment of the infected system for specific file patterns associated with popular cryptocurrency wallets and authentication services. Once identified, the malware copies these files and transmits them to a remote command-and-control server. The attack vector highlights the vulnerability of software supply chains, where a single compromised dependency can impact thousands of downstream applications.
The npm registry, a central hub for JavaScript libraries, serves as a critical infrastructure for modern web development. The scale of the compromise, affecting 36 distinct packages, suggests a coordinated effort rather than an isolated incident. The packages varied in functionality, ranging from utility libraries to specialized development tools, broadening the potential attack surface.
Developers are advised to audit their dependencies and remove any versions of the affected packages published by the 'asteroiddao' account. Security teams are working to identify the extent of the infection and determine if any data has already been exfiltrated. The npm registry administrators have suspended the compromised account to prevent further distribution of malicious code.
The motivation behind the attack remains unclear. While the malware specifically targets cryptocurrency assets, the inclusion of credential-stealing capabilities suggests a broader intent to access corporate or personal accounts. The use of the 'claude' commit author name has drawn attention, though no attribution has been made to any specific group or individual.
The incident underscores the ongoing risks facing open-source software ecosystems. As reliance on third-party libraries grows, the potential impact of supply-chain attacks increases. Security experts warn that similar tactics could be employed against other package managers or repositories in the future.
Questions remain regarding the origin of the compromised 'asteroiddao' account and the identity of the threat actor. Investigators are examining the timeline of the account's creation and the history of the associated GitHub repositories to trace the attack's origins. The full scope of the data breach is still being assessed, with no confirmation yet on whether any financial losses have occurred.
The incident serves as a reminder of the fragility of digital infrastructure and the need for robust security measures in software development. As the investigation continues, the focus remains on mitigating the damage and preventing future compromises.