The IronWorm campaign compromised 36 npm packages by abusing stolen Trusted Publishing credentials, delivering a Rust-based infostealer with an eBPF kernel rootkit that harvests AI API keys, AWS credentials, SSH private keys, and cryptocurrency wallet material. Any environment that consumed an affected package version during the exposure window must be treated as fully compromised for credential purposes. The attack propagates through CI/CD pipelines, making the blast radius proportional to how broadly affected packages were consumed across build infrastructure.