Cybersecurity researchers said three newly published versions of the popular node-ipc npm package contain malicious code that can steal developer and cloud credentials, with one version targeting only a specific project based on a SHA-256 hash check.
KEY FACTS
- Versions affected node-ipc 9.1.6, 9.2.3 and 12.0.1 were confirmed as malicious.
- Payload The code fingerprints the host, reads local files and tries to exfiltrate secrets.
- Data targeted The package sought AWS, Google Cloud, Azure, SSH, Kubernetes and GitHub CLI data, among other credentials.
- Delivery The malware was appended to node-ipc.cjs and runs when the package is required.
A technical analysis by Socket said the package versions contain obfuscated stealer and backdoor behavior. StepSecurity said the payload runs at runtime, rather than through npm lifecycle hooks, and sends collected data to a command and control server.
The report said the malware can harvest a wide range of developer and cloud secrets, compress the data into a GZIP archive and transmit it to sh.azurestaticprovider[.]net. It also described a second exfiltration path that uses DNS TXT records after changing the resolver to Google Public DNS.
The three releases were published by an account named atiertant, which had no prior publish history tied to the package. The article said the package had not been updated since August 2024 before the new releases appeared after a 21 month gap.
StepSecurity said version 12.0.1 checks the SHA-256 hash of the module path and stays inert unless it matches a hard coded value. The 9.x releases do not have that gate and can run on any system that loads them.
The disclosure also said the malware attempts to keep running in detached background child processes after the parent application exits. The package has previously carried harmful code, including versions in 2022 that overwrote files on systems in Russia or Belarus.
WHY IT MATTERS
The incident shows how supply chain attacks can be used to steal secrets from developers and cloud environments through trusted open source packages. Users of the affected versions are advised to remove them, reinstall known clean releases, rotate credentials and review logs for signs of unauthorized activity.