The Point: Three versions of the popular Node-IPC npm package were infected with stealer malware that exfiltrates up to 90 categories of developer and cloud secrets. The compromised versions were published by an unauthorized account and exfiltrate data to external C2 servers.
Cybersecurity experts warn of malicious activity in recently published versions of the Node-IPC package. Socket and StepSecurity have confirmed that three npm versions are infected with stealer and backdoor malware that attempts to steal sensitive developer credentials.
The three affected versions — node-ipc@9.1.23, node-ipc@9.2.3, and node-ipc@12.0.1 — exhibit heavily obfuscated stealer and backdoor functionality. The malware fingerprints the host environment, enumerates and reads local files, compresses and fragments collected data, and then attempts to exfiltrate the payload wrapped in a cryptographic envelope to a network endpoint.
According to StepSecurity, the heavily obfuscated payload is activated at runtime upon package import. It then attempts to steal a broad range of developer and cloud credentials. This includes 90 categories of secrets such as AWS, Google Cloud, and Azure credentials, SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI and Kiro IDE settings, Terraform state files, database passwords, and shell history.
The collected data is compressed into a GZIP archive and transmitted to an external command-and-control (C2) server. The three versions were published by an account named “atiertant” under the “.net” domain, which has no connection to the original package author “riaevangelist”.