Malicious node-ipc npm Packages Ignite Supply Chain Security Concerns

A recent supply chain attack targeting the widely utilized node-ipc npm package has raised significant alarms within the JavaScript ecosystem. Researchers have uncovered multiple malicious releases that contain an obfuscated credential stealer and backdoor functionality. Security analysts confirmed that several recently published package tarballs were infected with malware capable of harvesting sensitive data from developer systems and continuous integration (CI) environments.

Compromised Versions Identified

The malicious versions identified in this incident have been flagged by security experts. Researchers at Socket reported that these suspicious versions were classified as malware within approximately three minutes of their publication. Their investigation revealed that the compromised node-ipc releases contained heavily obfuscated code designed to fingerprint systems, collect local files, compress stolen data, encrypt the payload, and exfiltrate information through DNS-based communication channels.

This incident marks yet another significant security issue involving the long-standing npm package, which has previously been linked to one of the most discussed software supply chain incidents in the Node.js community.

Reviving Earlier Supply Chain Concerns

The latest attack does not appear to be a typosquatting campaign. Analysts believe that the threat actor republished or reintroduced malicious functionality directly into legitimate node-ipc package versions. Researchers have also pointed to earlier compromises associated with the package. In 2022, versions 10.1.1 and 10.1.2 contained geo-targeted destructive malware that checked whether systems were located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the controversial “peacenotwar” dependency associated with unauthorized file-writing behavior.

The newly discovered malware specifically affects the CommonJS implementation of the npm package. According to technical analysis, the malicious payload exists solely in the node-ipc.cjs file. The ESM wrapper, node-ipc.js, remained clean in the reviewed package artifacts and simply imported source files without containing the injected payload.

Investigators also identified an unusual forensic indicator across the infected tarballs: every file within the reviewed archives carried the timestamp “Oct. 26, 1985.” This timestamp appeared consistently across all analyzed malicious package artifacts, potentially aiding investigators in identifying infected caches or registry mirrors.

Alleged Hijacking of Dormant Maintainer Account

The investigation suggests that the attack may have originated through the takeover of a dormant maintainer account. The node-ipc project reportedly has 12 npm maintainers, including an account named “atiertant,” which still retains publishing privileges despite years of inactivity. Independent researcher Ian Ahl, also known online as @TekDefense and CTO at Permiso, identified what he described as the likely attack vector: an expired email domain linked to the maintainer account.

According to the published timeline:

• Atlantis-software[.]net was originally registered on Jan. 10, 2001.
• The domain expired on Jan. 10, 2025, after reportedly not being renewed.
• An attacker allegedly re-registered the domain through NameCheap on May 7, 2026.
• The attacker may have configured mail servers and initiated an npm password reset.
• Three malicious node-ipc versions were subsequently published on May 14, 2026, between 14:25 and 14:26 UTC.

Researchers believe that if the npm recovery email address was still associated with the expired domain, the new domain owner could have intercepted password reset emails and regained publishing access without directly compromising the maintainer’s infrastructure.

Credential Stealer Activated Through CommonJS Loading

The malware embedded within the node-ipc npm package relied on runtime execution rather than installation scripts. When applications used require("node-ipc"), the malicious node-ipc.cjs file executed an appended obfuscated Immediately Invoked Function Expression (IIFE) during module loading. The payload exposed an internal runner function named __ntRun, creating additional execution paths beyond the initial automatic activation. Analysts noted that any downstream code invoking require("node-ipc").__ntRun() could trigger another round of data collection and exfiltration.

The malware utilized an environment variable called __ntw to distinguish execution paths. In most cases, the parent process spawned a detached child process that handled credential harvesting independently. If the child process failed, the malware executed within the current process instead.

Extensive Data Collection Targeted Developer Environments

The malicious node-ipc code performed extensive reconnaissance using Node.js operating system APIs. The malware gathered details including:

• Operating system platform
• System architecture
• Hostname
• Kernel version
• Environment variables

The payload also attempted to execute uname -a and stored results in uname.txt. Additional harvested files included /etc/hosts and envs.txt, which contained sorted environment variables formatted as KEY=value. Researchers warned that the environment collection process was not selective; any secrets stored in environment variables—including cloud credentials, CI tokens, registry credentials, API keys, and database secrets—could be captured by the credential stealer.

The malware reportedly targeted a wide range of developer and infrastructure assets, including:

• AWS, Azure, GCP, OCI, and DigitalOcean configuration files
• SSH keys and SSH configurations
• Kubernetes, Docker, Helm, and Rancher credentials
• npm, Yarn, GitHub CLI, GitLab CLI, and Netrc credentials
• Terraform credential files and .tfvars data
• .env files and database configuration files
• Shell history files and database CLI histories
• macOS Keychain databases
• Firefox key database files on macOS
• Linux keyrings and KWallet files
• Microsoft Teams local storage and IndexedDB data

The payload intentionally skipped files larger than 4 MiB and avoided recursively scanning node_modules and .git directories.

DNS TXT Queries Used for Data Exfiltration

One of the more unusual aspects of the attack involved the malware’s exfiltration mechanism. Instead of using traditional HTTP or HTTPS communication, the credential stealer relied on DNS TXT queries. The malware attempted to communicate with the bootstrap resolver: sh[.]azurestaticprovider[.]net:443. Researchers described the domain as a deliberate lookalike of Microsoft’s legitimate Azure Static Web Apps infrastructure. At the time of analysis, the domain resolved to IP address 37.16[.]75.69.

Exfiltrated data was transmitted under the DNS zone. The malware generated TXT query prefixes using a compressed archive of roughly 500 KiB, with analysts estimating that the malware could generate approximately 29,400 DNS TXT queries during exfiltration. The payload created compressed gzip archives from collected files, temporarily storing them in a designated location. Although the malware attempted to delete the archive afterward using unlinkSync(), interrupted executions could leave the malicious tarballs on disk for forensic recovery.

Impact and Indicators of Compromise

Security researchers confirmed that the malicious node-ipc npm package versions were capable of stealing credentials and configuration files from systems loading the CommonJS entry point. The reviewed samples did not establish persistence mechanisms such as cron jobs, launchd services, or secondary malware downloads. The primary operational window focused on credential collection, archive creation, DNS exfiltration, and cleanup.

Investigators identified several indicators of compromise tied to the malicious tarballs, including:

Malicious Packages

File Hashes

• node-ipc.cjs SHA-256: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
• node-ipc-9.1.6.tgz SHA-256: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
• node-ipc-9.2.3.tgz SHA-256: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
• node-ipc-12.0.1.tar.gz SHA-256: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981

Security Recommendations

Researchers advised developers and organizations to immediately remove the compromised node-ipc npm package versions and reinstall verified clean releases. They also recommended auditing package-lock files, Yarn lockfiles, build caches, and local npm caches for malicious artifacts. Organizations whose systems loaded the infected CommonJS versions were urged to treat local credentials and environment secrets as compromised. Recommended remediation steps included rotating SSH keys, npm tokens, cloud provider credentials, GitHub and GitLab tokens, Kubernetes credentials, Docker registry secrets, Terraform credentials, and database access keys.

Security teams were additionally encouraged to monitor DNS traffic for TXT query patterns beginning with xh, xd, or xf under the bt[.]node[.]js domain, as well as unusual bursts of high-volume DNS TXT traffic that could indicate active exfiltration attempts involving the malicious tarballs.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.