Skip to content

Stealer-Backdoor Discovered in Three Node-IPC Versions

Key points: Three versions of the npm package node-ipc (9.1.23, 9.2.3, 10.1.1) contain malware that steals developer and cloud access credentials upon package loading and transmits them to a C2 server. The malware targets over 90 categories of login credentials.

Security experts warn of malicious activity in recent versions of the npm package node-ipc. Versions 9.1.23, 9.2.3, and 10.1.1 contain obfuscated stealer and backdoor functionality designed to siphon developer credentials.

Cybersecurity experts have warned of malware in recently released versions of the node-ipc package. Security firms Socket and StepSecurity identified three npm package versions 9.1.23, 9.2.3, and 10.1.1 as malicious. According to preliminary analysis, the malware contains covert stealer and backdoor functions.

The malware captures the host environment, enumerates and reads local files, compresses the collected data, encrypts the payload, and attempts to exfiltrate it via a network endpoint selected through DNS or address-based logic. StepSecurity reports that the heavily obfuscated payload is activated during runtime package import and subsequently attempts to steal a broad range of developer and cloud access credentials and transmit them to an external command-and-control (C2) server.

The data includes credentials across 90 categories, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI and Kiro IDE settings, Terraform state files, database passwords, and shell history. The collected data is compressed into a GZIP archive and sent to the domain “sh.azurestaticprovider[.]net”.

The three versions were published by an account named “atiertant”, which has no connection to the original package author “riaevangelist”.

Share on: