Arweave-linked WeaveDB npm packages trojanized to drop IronWorm malware

A Rust-based infostealer dubbed IronWorm was embedded in 36 npm packages connected to the Arweave/WeaveDB ecosystem, targeting developer credentials, SSH keys, and Exodus wallet files. The malware ran via a preinstall hook during npm install, searched 86 environment variables and 20 credential files, and used stolen GitHub tokens to spread through malicious commits. Security researchers advised anyone who installed the affected packages to rotate exposed secrets and harden npm/GitHub accounts.