Back to Intelligence

IronWorm npm Supply-Chain Attack: Detection and Incident Response Guide

SA
Security Arsenal Team
June 5, 2026
7 min read

Introduction

A significant supply-chain attack has struck the JavaScript ecosystem, impacting the Node Package Manager (npm) registry. Security researchers have identified a campaign involving 36 malicious packages infected with a novel infostealer malware dubbed IronWorm.

This is not a theoretical dependency confusion exercise; it is an active campaign targeting developer workstations and CI/CD pipelines. The IronWorm malware is designed to exfiltrate sensitive data, potentially compromising source code, proprietary algorithms, and critical infrastructure credentials. Given the pervasive use of npm in modern web development, the blast radius of this campaign is substantial. Defenders must assume that environments pulling from the public npm registry without strict allow-listing or integrity checks are at high risk.

Technical Analysis

Threat Overview: The threat actor behind this campaign has uploaded 36 distinct packages to the npm registry. These packages likely masquerade as legitimate utilities or popular libraries to entice installation (typosquatting or dependency confusion). Once installed by a developer or a build pipeline, the payload—IronWorm—is executed.

Malware Capability (IronWorm): IronWorm is classified as an infostealer. In the context of a Node.js environment, this typically entails:

  • System Enumeration: Gathering OS metadata, user information, and environment variables.
  • Credential Harvesting: targeting .npmrc files, AWS/GCP/Azure credential files, and SSH keys located in user directories.
  • Exfiltration: Establishing a Command & Control (C2) channel to transmit stolen data to attacker-controlled infrastructure.

Attack Chain:

  1. Initial Compromise: A developer or build server runs npm install [malicious-package].
  2. Execution: The malicious package utilizes the preinstall or postinstall lifecycle scripts defined in package. to execute arbitrary code immediately upon download.
  3. Payload Drop: The IronWorm script runs, often using obfuscated JavaScript to evade basic static analysis.
  4. Data Theft: The script scans the filesystem for sensitive files and environment variables.
  5. C2 Communication: The exfiltrated data is sent via HTTP/HTTPS POST requests to external endpoints.

Exploitation Status: Active exploitation has been confirmed in the wild. The packages were available for download, meaning any environment that executed the install commands during the window of availability is compromised.

Detection & Response

The following detection mechanisms are designed to identify the execution patterns typical of IronWorm and similar npm-based supply-chain attacks. Focus on detecting node.exe spawning child processes or initiating unauthorized network connections.

SIGMA Rules

YAML
---
title: IronWorm - Suspicious Node.js Child Process
id: 8a4b2c1d-9e3f-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects Node.js spawning a shell or other suspicious processes, typical of malicious npm package execution scripts.
references:
 - https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059.001
 - attack.initial_access
 - attack.t1195.002
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\node.exe'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
     - '\bash.exe'
     - '\wscript.exe'
   CommandLine|contains:
     - '/c'
     - '-Command'
     - '-EncodedCommand'
 condition: selection
falsepositives:
 - Legitimate build scripts using node-gyp or similar tools
level: high
---
title: IronWorm - Node.js Outbound C2 Traffic
id: 9b5c3d2e-0f4a-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects Node.js processes initiating network connections to non-standard ports, indicative of data exfiltration.
references:
 - https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.exfiltration
 - attack.t1041
 - attack.c2
 - attack.t1071.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   Image|endswith:
     - '\node.exe'
   DestinationPort|notin:
     - 80
     - 443
     - 8080
     - 3000
   Initiated: true
 condition: selection
falsepositives:
 - Development servers running on custom ports
 - Internal API calls
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js processes spawning suspicious child processes (Windows)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "node.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "bash.exe")
| where ProcessCommandLine has_any ("/c", "-c", "-EncodedCommand", "-enc")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc


// Hunt for suspicious network connections initiated by Node.js (potentially Linux/Windows via MDE)
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "node"
| where RemotePort !in (80, 443, 8080, 3000, 22, 53) // Exclude common web/dev ports
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Node.js processes with suspicious children on Linux/Mac/Windows
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "node"

-- Chain to child processes to find shell execution
LET suspicious_children = SELECT Parent.Name AS ParentProcess, Child.Name AS ChildProcess, Child.CommandLine, Child.Pid
FROM chain(
    schema="Pid Ppid",
    root=(SELECT Pid, Ppid FROM pslist() WHERE Name =~ "node"),
    traverse=(SELECT Pid, Ppid FROM pslist() WHERE Ppid =~ root.Pid)
)
WHERE Child.Name =~ "(sh|bash|powershell|pwsh|cmd|wscript)"

SELECT * FROM suspicious_children

Remediation Script (Bash)

This script scans the current directory and subdirectories for package. files and lists packages that utilize preinstall, postinstall, or install scripts—a common vector for IronWorm execution.

Bash / Shell
#!/bin/bash

# Audit npm packages for potentially malicious lifecycle scripts
# IronWorm often executes immediately via postinstall scripts.

echo "[*] Scanning for package. files and analyzing lifecycle scripts..."

find . -type f -name "package." -print0 | while IFS= read -r -d $'\0' file; do
    dir=$(dirname "$file")
    echo "\n[+] Analyzing: $dir/package."
    
    # Check for scripts in package.
    if command -v jq &> /dev/null; then
        # Using jq for precise JSON parsing
        scripts=$(jq -r '.scripts | keys[] | select(. == "preinstall" or . == "postinstall" or . == "install")' "$file" 2>/dev/null)
        
        if [ -n "$scripts" ]; then
            echo "    [!] WARNING: Lifecycle scripts found:"
            echo "$scripts" | while read -r script; do
                echo "       - $script: $(jq -r ".scripts[\"$script\"]" "$file")"
            done
        fi
    else
        # Fallback grep if jq is not installed (noisier)
        if grep -E '("preinstall"|"postinstall"|"install")' "$file" > /dev/null; then
            echo "    [!] WARNING: Potential lifecycle scripts detected. Please review manually."
            grep -E '("preinstall"|"postinstall"|"install")' "$file"
        fi
    fi
done

echo "\n[*] Audit complete."
echo "[*] Recommendation: Run 'npm audit' in affected directories and rotate all exposed credentials."

Remediation

Immediate containment and eradication are critical due to the infostealer nature of IronWorm.

  1. Identify and Remove Malicious Packages: Cross-reference your package. and package-lock. files against the official list of 36 malicious packages published in the source advisory.

    • Action: Remove any identified packages immediately.
    • Command: npm uninstall <malicious-package-name>

  2. Sanitize the Environment: Simply uninstalling the package may not remove artifacts left by the malware if it already executed.

    • Delete node_modules: Remove the entire directory to ensure no lingering malicious code exists. rm -rf node_modules
    • Delete Lock Files: Remove package-lock. and yarn.lock to ensure a fresh pull of dependencies.
    • Reinstall: Run npm install to repopulate dependencies from trusted sources.

  3. Credential Rotation (CRITICAL): Since IronWorm is an infostealer, assume that any credentials available in the environment during the compromise have been stolen.

    • Rotate all API keys (AWS, Azure, GCP, GitHub).
    • Rotate database credentials and service tokens.
    • Invalidate SSH keys that were resident on the compromised machine.
    • Revoke and reissue OAuth tokens.

  4. Network Blocking: Identify and block the Command & Control (C2) IP addresses and domains associated with the IronWorm campaign at the perimeter firewall and proxy level. Refer to the IOCs (Indicators of Compromise) in the source article.

  5. Developer Workstation Forensics: Reimaging developer workstations may be necessary if the malware achieved persistence or established background processes. At a minimum, perform a full disk scan using updated EDR signatures.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirnpmsupply-chainironworm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action