On June 3, JFrog Security Research published their analysis of IronWorm — a supply chain attack that compromised 37 npm packages through the asteroiddao account. A 976KB Rust ELF binary triggered by preinstall . Caught early, before spreading to popular packages. But the techniques are a step change from everything that came before. Three things make IronWorm different. 1. It commits as "claude" Every malicious commit pushed to victim repositories uses the author identity claude@users.noreply.gi