RSS

Popular node-IPC NPM package compromised to steal credentials

Brajeshwar1 pts0 comments

Popular node-ipc npm package compromised to steal credentials

Home<br>News<br>Security<br>Popular node-ipc npm package compromised to steal credentials

Popular node-ipc npm package compromised to steal credentials

By Bill Toulas

May 15, 2026

01:10 PM

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.

The node-ipc package is a Node.js module that enables various processes to communicate through all forms of sockets, including Unix, Windows, UDP, TLS, and TCP.

Despite the maintainer publishing in March 2022 weaponized versions that targeted Russia and Belarus-based systems with a data-overwriting module, in protest to the Russian invasion of Ukraine, the package still has more than 690,000 weekly downloads on npm.

The recent supply-chain attack was detected by multiple application security companies, including Socket, Ox Security, and Upwind, who confirmed the following three versions as malicious:

node-ipc@9.1.6

node-ipc@9.2.3

node-ipc@12.0.1

The malicious code hides inside the CommonJS entrypoint (node-ipc.cjs) and executes automatically whenever applications are loaded.

The malware is heavily obfuscated and fingerprints infected systems, collects environment variables and sensitive local files, compresses the stolen data into archives, and exfiltrates it through DNS TXT queries.

The latest compromise appears to be the work of an external actor who compromised the account of an inactive maintainer named 'atiertant.'

According to the researchers, the infostealer injected in the new node-ipc versions collects the following types of information from compromised systems:

Cloud credentials from AWS, Azure, GCP, OCI, DigitalOcean, and others

SSH keys and SSH configs

Kubernetes, Docker, Helm, and Terraform credentials

npm, GitHub, GitLab, and Git CLI tokens

.env files and database credentials

Shell histories and CI/CD secrets

macOS Keychain files and Linux keyrings

Firefox profile and key database files (on macOS)

Microsoft Teams local storage and IndexedDB paths

The malware skips files larger than 4 MiB and avoids scanning .git and node_modules directories to increase efficiency and reduce operational noise on the host.

Attack overview<br>Source: Ox Research

A notable operational characteristic is the use of DNS TXT queries instead of conventional HTTP-based command-and-control (C2) traffic for data exfiltration. The attackers use a fake Azure-themed domain (sh[.]azurestaticprovider[.]net:443) as a bootstrap resolver, transmitting the data to &lsquo;bt[.]node[.]js&rsquo; with query prefixes like xh, xd, and xf.

According to Socket, exfiltrating a 500 KB compressed archive could generate roughly 29,400 DNS TXT requests, helping the traffic blend into normal DNS activity.

Prior to submission, the malware stores collected data in temporary compressed tar.gz archives, which are deleted after exfiltration to reduce forensic traces.

The malware does not establish persistence or download any secondary payloads, so the operation appears focused on rapid credential theft and exfiltration.

Potentially impacted developers should immediately remove the affected versions, rotate exposed secrets and credentials, and inspect lockfiles and npm caches.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages<br>New npm supply-chain attack self-spreads to steal auth tokens<br>PyPI package with 1.1M monthly downloads hacked to push infostealer<br>Hackers compromise Axios npm package to drop cross-platform malware<br>GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

Info Stealer

Information Stealer

Malware

node-ipc

npm

Packages

Supply Chain

Supply Chain Attack

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Windows BitLocker zero-day gives access to protected drives, PoC released

Dell confirms its SupportAssist software causes Windows BSOD crashes

OpenAI confirms security breach in TanStack supply chain attack

Sponsor Posts

Are stolen sessions bypassing your security? Find out for free.

https://www.nmftacyber.com/

12 steps to defend against AI-powered exploits...

node package malware credentials attack popular

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.