IronWorm npm Package Checker
Check a package name, package.json, or lockfile text against the 36 npm packages and affected
versions reported in the IronWorm supply-chain attack.
- Runs locally in your browser
- Updated 2026-06-06
- 36 affected packages tracked
Paste dependencies
Supports package names, package.json, package-lock.json, yarn.lock, and pnpm-lock snippets.
No affected versions found
Results appear after a check.
Affected npm packages
The table mirrors the package names and affected versions published by OX Security. Treat the list as a fast triage aid, not a replacement for your own incident review.
| Package name | Affected version | Risk |
|---|---|---|
weavedb-sdk |
0.45.3 |
Affected |
What to do after a match
IronWorm was reported as an infostealer that targeted developer and CI credentials. If your dependency tree installed an affected version, assume the host and exposed secrets need review.
- Upgrade or remove the affected package version.
- Rotate npm, GitHub, OpenAI, Anthropic, AWS, SSH, and vault credentials exposed on the host.
- Review CI logs, artifacts, install scripts, and unexpected repository commits.
- Enable 2FA on npm and source-control accounts.
- Preserve evidence before deleting caches if your team needs incident records.
Sources and limits
Package/version data is based on OX Security's IronWorm report. Incident impact context is cross-checked against BleepingComputer. This page does not provide legal, incident-response, or investment advice.