A fresh supply chain attack targeting the widely used node-ipc npm package has raised new concerns across the JavaScript ecosystem after researchers uncovered multiple malicious releases containing an obfuscated credential stealer and backdoor functionality. Security analysts confirmed that several recently published package tarballs were infected with malware capable of harvesting sensitive data from developer systems and CI environments.
The compromised versions identified as malicious include:
Researchers at Socket reported that the suspicious versions were flagged within approximately three minutes of publication, classifying the activity as malware almost immediately. Their investigation found that the malicious node-ipc releases contained heavily obfuscated code designed to fingerprint systems, collect local files, compress stolen data, encrypt the payload, and exfiltrate information through DNS-based communication channels.
The incident marks another major security issue involving the long-running npm package, which was previously linked to one of the most discussed software supply chain incidents in the Node.js community.
Malicious node-ipc Versions Revive Earlier Supply Chain Concerns
The latest attack does not appear to be a typosquatting campaign. Instead, analysts believe the threat actor republished or reintroduced malicious functionality directly into legitimate node-ipc package versions.
Researchers also pointed to earlier compromises connected to the package. In 2022, versions 10.1.1 and 10.1.2 contained geo-targeted destructive malware that checked whether systems were located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the controversial “peacenotwar” dependency associated with unauthorized file-writing behavior.
The newly discovered malware specifically affects the CommonJS implementation of the npm package. According to the technical analysis, the malicious payload exists only in the node-ipc.cjs file. The ESM wrapper, node-ipc.js, remained clean in the reviewed package artifacts and simply imported source files without containing the injected payload.
Investigators also identified an unusual forensic indicator across the infected tarballs. Every file within the reviewed archives carried the timestamp “Oct. 26, 1985.” Researchers noted that this timestamp appeared consistently across all analyzed malicious package artifacts and may help investigators identify infected caches or registry mirrors.
Dormant Maintainer Account Allegedly Hijacked
The investigation suggests the attack may have originated through the takeover of a dormant maintainer account. The node-ipc project reportedly has 12 npm maintainers, including an account named “atiertant,” which still retains publishing privileges despite years of inactivity.
Independent researcher Ian Ahl, also known online as @TekDefense and CTO at Permiso, publicly identified what he described as the likely attack vector: an expired email domain linked to the maintainer account.
According to the published timeline:
- Atlantis-software[.]net was originally registered on Jan. 10, 2001.
- The domain expired on Jan. 10, 2025, after reportedly not being renewed.
- An attacker allegedly re-registered the domain through NameCheap on May 7, 2026.
- The attacker may then have configured mail servers and initiated an npm password reset.
- Three malicious node-ipc versions were subsequently published on May 14, 2026, between 14:25 and 14:26 UTC.
Researchers believe that if the npm recovery email address was still associated with the expired domain, the new domain owner could have intercepted password reset emails and regained publishing access without directly compromising the maintainer’s infrastructure.
Credential Stealer Activated Through CommonJS Loading
The malware embedded inside the node-ipc npm package relied on runtime execution rather than installation scripts. When applications used require(“node-ipc”), the malicious node-ipc.cjs file executed an appended obfuscated IIFE during module loading.
The payload exposed an internal runner function named __ntRun, creating additional execution paths beyond the initial automatic activation. Analysts noted that any downstream code invoking require(“node-ipc”).__ntRun() could trigger another round of data collection and exfiltration.
The malware used an environment variable called __ntw to distinguish execution paths. In most cases, the parent process spawned a detached child process that handled credential harvesting independently. If the child process failed, the malware executed within the current process instead.
Extensive Data Collection Targeted Developer Environments
The malicious node-ipc code performed extensive reconnaissance using Node.js operating system APIs. The malware gathered details including:
- Operating system platform
- System architecture
- Hostname
- Kernel version
- Environment variables
The payload also attempted to execute uname -a and stored results inside uname.txt. Additional harvested files included /etc/hosts and envs.txt, which contained sorted environment variables formatted as KEY=value.
Researchers warned that the environment collection process was not selective. Any secrets stored in environment variables—including cloud credentials, CI tokens, registry credentials, API keys, and database secrets—could be captured by the credential stealer.
The malware reportedly targeted a wide range of developer and infrastructure assets, including:
- AWS, Azure, GCP, OCI, and DigitalOcean configuration files
- SSH keys and SSH configurations
- Kubernetes, Docker, Helm, and Rancher credentials
- npm, Yarn, GitHub CLI, GitLab CLI, and Netrc credentials
- Terraform credential files and .tfvars data
- .env files and database configuration files
- Shell history files and database CLI histories
- macOS Keychain databases
- Firefox key database files on macOS
- Linux keyrings and KWallet files
- Microsoft Teams local storage and IndexedDB data
- The payload skipped files larger than 4 MiB and intentionally avoided recursively scanning node_modules and .git directories.
DNS TXT Queries Used for Data Exfiltration
One of the more unusual aspects of the attack involved the malware’s exfiltration mechanism. Instead of using traditional HTTP or HTTPS communication, the credential stealer relied on DNS TXT queries.
The malware attempted to communicate with the bootstrap resolver:
- sh[.]azurestaticprovider[.]net:443
Researchers described the domain as a deliberate lookalike of Microsoft’s legitimate Azure Static Web Apps infrastructure. At the time of analysis, the domain resolved to IP address 37.16[.]75.69.
Exfiltrated data was transmitted under the DNS zone:
- bt[.]node[.]js
The malware generated TXT query prefixes using:
- xh
- xd
- xf
For a compressed archive of roughly 500 KiB, analysts estimated the malware could generate approximately 29,400 DNS TXT queries during exfiltration.
The payload created compressed gzip archives from collected files, temporarily storing them in:
- /nt-/.tar.gz
Although the malware attempted to delete the archive afterward using unlinkSync(), interrupted executions could leave the malicious tarballs on disk for forensic recovery.
Impact and Indicators of Compromise
Security researchers confirmed that the malicious node-ipc npm package versions were capable of stealing credentials and configuration files from systems loading the CommonJS entrypoint.
The reviewed samples did not establish persistence mechanisms such as cron jobs, launchd services, or secondary malware downloads. The primary operational window focused on credential collection, archive creation, DNS exfiltration, and cleanup.
Investigators identified several indicators of compromise tied to the malicious tarballs, including:
Malicious Packages
File Hashes
- node-ipc.cjs SHA-256:
96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 - node-ipc-9.1.6.tgz SHA-256:
449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e - node-ipc-9.2.3.tgz SHA-256:
c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea - node-ipc-12.0.1.tar.gz SHA-256:
78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
Security Recommendations
Researchers advised developers and organizations to immediately remove the compromised node-ipc npm package versions and reinstall verified clean releases. They also recommended auditing package-lock files, Yarn lockfiles, build caches, and local npm caches for malicious artifacts.
Organizations whose systems loaded the infected CommonJS versions were urged to treat local credentials and environment secrets as compromised. Recommended remediation steps included rotating SSH keys, npm tokens, cloud provider credentials, GitHub and GitLab tokens, Kubernetes credentials, Docker registry secrets, Terraform credentials, and database access keys.
Security teams were additionally encouraged to monitor DNS traffic for TXT query patterns beginning with xh, xd, or xf under the bt[.]node[.]js domain, as well as unusual bursts of high-volume DNS TXT traffic that could indicate active exfiltration attempts involving the malicious tarballs.
