IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.

A supply chain attack called IronWorm compromised 37 npm packages by pushing malicious commits with forged timestamps, targeting AI and OpenAI keys, and using social engineering to blend in with AI-generated commits. This attack is significant because it uses new techniques to evade detection and steals high-value credentials. Developers should be cautious of commits from 'claude' and review their environment variables and credential files.