Rust-built infostealer npm supply chain worm, identified by JFrog Security Research on 2026-06-03 as an evolved variant of the Shai-Hulud worm family. Distributed via npm packages published from the compromised `asteroiddao` account (43 packages), it targets the Arweave/WeaveDB decentralized-database and broader Web3/crypto developer ecosystem. The malicious install hook drops a ~976 KB Rust ELF (`tools/setup`, UPX-packed with overwritten magic) that harvests ~86 environment variables and 20+ credential file paths (cloud, AI API keys, SCM/registry/CI tokens, Kubernetes/Vault secrets), captures Exodus desktop wallet seed phrases, ships an eBPF kernel rootkit for process/socket hiding and anti-debugging, beacons to a Tor hidden service (/api/agent) with temp.sh fallback exfil, and self-republishes via npm OIDC Trusted Publishing. Code paths targeting PyPI, Cargo, Conan and vcpkg credentials/registries were also present. Shares Shai-Hulud tradecraft (claude@ commit spoofing, dependency-tooling masquerade, supply-chain self-propagation) but escalates to a custom native implant.
Objective
Harvest developer, cloud, AI, registry, CI/CD and crypto-wallet credentials from Web3/crypto (Arweave/WeaveDB) developers and self-propagate across npm via OIDC Trusted Publishing.
Related campaigns
Packages
- npm weavedb-sdkattributed-to
- npm weavedb-liteattributed-to
- npm weavedb-sdk-baseattributed-to
- npm test-weavedb-sdkattributed-to
- npm weavedb-warp-contracts-plugin-deployattributed-to
- npm arnext-arkbattributed-to
- npm weavedb-consoleattributed-to
- npm arnextattributed-to
- npm roidjsattributed-to
- npm weavedb-exm-sdkattributed-to
- npm create-arnext-appattributed-to
- npm weavedb-toolsattributed-to
- npm wdb-coreattributed-to
- npm cwao-toolsattributed-to
- npm test-ajsattributed-to
- npm monadeattributed-to
- npm weavedb-exm-sdk-webattributed-to
- npm testnpmnmpattributed-to
- npm warp-contracts-plugin-deploy-testattributed-to
- npm wdb-cliattributed-to
- npm ai3attributed-to
- npm cwao-unitsattributed-to
- npm atomic-notesattributed-to
- npm cwaoattributed-to
- npm weavedb-clientattributed-to
- npm wdb-sdkattributed-to
- npm weavedb-offchainattributed-to
- npm fpjson-langattributed-to
- npm weavedb-contractsattributed-to
- npm weavedb-node-clientattributed-to
- npm arjsonattributed-to
- npm hbsigattributed-to
- npm zkjsonattributed-to
- npm aonoteattributed-to
- npm weavedb-baseattributed-to
- npm weavedb-sdk-nodeattributed-to
- npm waoattributed-to
Indicators
- github_repo asteroid-dao/eternal-storageindicates
- github_repo asteroid-dao/asteroid-protocolindicates
- github_repo alisista/aht-testnetindicates
- github_repo ocrybit/mweb3wavesindicates
- github_repo ocrybit/by-coffeescriptindicates
- file_path tools/setupindicates
- file_path .github/scripts/precheckindicates
- file_path q2.bpf.cindicates
- url tor://api/agentcommunicates-with
- url https://temp.shexfiltrates-to
- url http://127.0.0.1:8738communicates-with
- url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/packagecommunicates-with
- wallet 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6indicates
- email claude@users.noreply.github.comindicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1078 Valid Accountsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1090.003 Proxy: Multi-hop Proxyuses
- ttp T1014 Rootkituses
- ttp T1564 Hide Artifactsuses
- ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses
- ttp T1622 Debugger Evasionuses
- ttp T1098 Account Manipulationuses
- ttp T1036 Masqueradinguses
- ttp T1547.013 Boot or Logon Autostart Execution: XDG Autostart Entriesuses
- ttp T1056.001 Input Capture: Keylogginguses
