Attackers planted an infostealer inside 36 npm packages linked to the Arweave ecosystem. It targeted developer credentials, SSH keys, and Exodus crypto wallet files. Security firm JFrog traced the attack back to a compromised maintainer account. The malware is called IronWorm, and its built using Rust. It activates the moment a developer installs an npm package. Once running, it scans through the infected computer for 86 environment variables and 20 credential files, as JFrog’s research team found. It goes after AWS tokens, Anthropic and OpenAI API keys, npm authentication credentials, and crypto wallet data.