Stealer Backdoor Discovered in Three Node-IPC Versions, Compromising Developer Secrets
Cybersecurity experts have raised significant concerns regarding malicious activity linked to newly published versions of the popular npm package, node-ipc. The discovery of compromised versions has implications for developers and organizations relying on this package for inter-process communication in Node.js applications.
Malicious Versions Identified
Recent investigations by cybersecurity firms Socket and StepSecurity have confirmed that three specific versions of node-ipc are malicious:
- node-ipc@9.1.6
- node-ipc@9.2.3
- node-ipc@12.0.1
Initial analyses indicate that these versions contain obfuscated stealer and backdoor functionalities. The malware is designed to fingerprint the host environment, enumerate and read local files, and compress and chunk the collected data. It then wraps the payload in a cryptographic envelope before attempting to exfiltrate the information through a network endpoint determined by DNS logic.
Scope of Data Compromised
The malicious payload is triggered when the package is required at runtime. It seeks to exfiltrate a wide array of developer and cloud credentials, encompassing over 90 categories. This includes sensitive information such as:
- Amazon Web Services (AWS) credentials
- Google Cloud credentials
- Microsoft Azure credentials
- SSH keys
- Kubernetes tokens
- GitHub CLI configurations
- Terraform state files
- Database passwords
- Shell history
The collected data is subsequently compressed into a GZIP archive and sent to the domain “sh.azurestaticprovider[.]net.”
Unusual Publishing Behavior
The three compromised versions were published by an account named “atiertant,” which has no previous connection to the package’s original author, “riaevangelist.” Although “atiertant” appears in the maintainer list, the account lacks any prior publishing history related to node-ipc. The last legitimate update to the package occurred in August 2024.
The fact that this high-download package was compromised after a 21-month hiatus raises concerns. It suggests that either the “atiertant” credentials were newly compromised or that the account was specifically added as a maintainer to distribute the malicious versions.
Technical Mechanisms of the Attack
Notably, the malicious activity does not rely on npm lifecycle hooks such as preinstall, install, or postinstall scripts. Instead, the malware appends its payload as an Immediately Invoked Function Expression (IIFE) to the end of “node-ipc.cjs.” This design ensures that the malware activates unconditionally upon every invocation of require('node-ipc').
The payload also performs a SHA-256 fingerprint check against a hard-coded hash derived from eight obfuscated fragments embedded within the code. This mechanism allows the attacker to target specific projects or developers by pre-computing the hash of their entry point before publishing. The 9.x versions lack this gate, executing the full payload on any system that loads them.
Exfiltration Techniques
In addition to sending an HTTPS POST request to the fake Azure domain containing the stolen data, the malware employs a secondary exfiltration channel. It encodes chunks of the archive as a DNS TXT record, overriding the system’s DNS resolver with Google Public DNS to evade local DNS-based security measures.
The malware first resolves “sh.azurestaticprovider.net” using either 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the command-and-control (C2) IP address. It then redirects the resolver directly to the C2 IP for all exfiltration queries. This direct-to-C2 DNS sink is a notable anti-detection technique, as the exfiltration queries do not interact with public DNS resolvers, leaving no observable activity in public DNS logs.
Historical Context of Malicious Activity
This incident is not the first time the node-ipc package has been associated with malicious functionality. In March 2022, the package maintainer deliberately introduced destructive capabilities in versions 10.1.1 and 10.1.2, overwriting files on systems located in Russia or Belarus as a form of protest against Russia’s military actions in Ukraine. Subsequent versions, 11.0.0 and 11.1.0, included a dependency named “peacenotwar,” also published by the same maintainer, as a non-violent protest.
The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into known package versions rather than a simple typosquatting attempt.
Recommended Actions for Users
In light of these developments, users are strongly advised to take immediate action:
- Remove the compromised versions of node-ipc and reinstall known clean versions (9.2.1 and 12.0.0).
- Assume compromise and rotate all credentials and secrets.
- Audit npm publish activity for any packages accessible with the rotated tokens.
- Review workflow run logs for any suspicious activity.
- Audit cloud logs to check for unauthorized actions performed by IAM identities whose credentials were exposed during the compromised period.
- Block egress traffic to the C2 domain.
The implications of this incident underscore the ongoing risks associated with supply chain attacks in the software development ecosystem. Developers and organizations must remain vigilant and proactive in securing their environments against such threats.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
