The gist: The npm package node-ipc was compromised with credential-stealing malware. The tampered versions 9.1.6, 9.2.3, and 12.0.1 steal cloud credentials, SSH keys, and sensitive files via DNS exfiltration. A compromised maintainer account is the likely cause.
Hackers have infected a widely-used Node.js library for inter-process communication with credential-stealing malware. The tampered versions of the npm package node-ipc have been identified by multiple security firms and represent a new supply-chain threat.
The npm package node-ipc, which is downloaded by over 690,000 developers per week, has become the target of a new supply-chain attack. The security firms Socket, Ox Security, and Upwind have identified three tampered versions: 9.1.6, 9.2.3, and 12.0.1. The malware is hidden in the CommonJS entry point of the package and is executed automatically when applications load.
The malicious code is heavily obfuscated and fingerprints the infected system. It collects environment variables and sensitive local files, compresses the stolen information, and exfiltrates it via DNS TXT requests. The malware specifically targets cloud credentials — including access credentials for AWS, Azure, GCP, OCI, and DigitalOcean — as well as SSH keys, configuration files, and configurations for Kubernetes, Docker, Helm, and Terraform.
Researchers believe that an external attacker compromised the account of an inactive maintainer named “atiertant”. This is not the first malicious manipulation of the package: the original maintainer had already published poisoned versions with malware in March 2022 that specifically targeted systems in Russia and Belarus with a data-deletion payload in protest against the invasion of Ukraine.