New IronWorm malware hits 36 packages in npm supply-chain attack
A supply-chain attack infected 36 packages on npm with IronWorm infostealer malware. The attack compromised multiple packages in the Node Package Manager ecosystem, potentially affecting downstream users and applications.
- Disclosed
- Last updated
- Blast radius
- 36 npm packages with potential widespread downstream impact depending on package popularity and usage
- Ecosystems
- Attack vectors
- Affected entities
- 36 npm packagesSpecific package names not provided in source text
A new supply-chain attack has compromised 36 packages on the Node Package Manager (npm) index with infostealer malware named IronWorm. The malicious packages were distributed through the npm registry, a critical infrastructure point for JavaScript/Node.js development.
The IronWorm malware is designed to steal information from affected systems. With 36 packages compromised, the potential blast radius extends to any developer or application that installed these packages as dependencies.
The attack represents a direct compromise of the npm supply chain, affecting the integrity of packages available to millions of developers worldwide.
Remediation
- Identify and audit all npm packages installed in your projects for the 36 affected packages
- Remove or update any affected packages immediately
- Review package.lock or yarn.lock files for evidence of installation
- Scan systems that may have executed code from affected packages for IronWorm malware indicators
- Monitor npm security advisories for the specific package names and versions
- Implement stricter package vetting and dependency scanning in your development pipeline
Sources
- New IronWorm malware hits 36 packages in npm supply-chain attack · BleepingComputer
Cite this entry
"New IronWorm malware hits 36 packages in npm supply-chain attack." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 4, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack-12l3ww
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package