• About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal
The Cyber Express
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    EU-US Data Privacy Framework

    EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

    Japan cyberattacks

    Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

    Scattered Spider

    Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

    AI Cyber Attacks

    AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

    Apple Security Update

    Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

    Seized Crypto Assets

    Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

    Illegal World Cup Streaming Domains

    U.S. Seizes Nearly 400 Illegal FIFA World Cup Streaming Domains

    Operation Endgame Disrupts SocGholish

    Operation Endgame Disrupts SocGholish, StealC Malware Networks

    UAE Cybersecurity Council

    UAE Cybersecurity Council Calls for Stronger Digital Footprint Protection

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    Pink, Pink Extortion, CL-CRI-1147

    Pink Extortion Group Emerges Targeting Microsoft 365 Data

    AI-Powered Bots

    AI-Powered Bots Are Blurring the Line Between Users and Cyber Threats

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    The Cyber Express cybersecurity roundup

    The Cyber Express Weekly Roundup: FortiOS Exploits, Ransomware, Hacktivist Surge, and EU Telecom Rules

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    EU-US Data Privacy Framework

    EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

    Japan cyberattacks

    Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

    Scattered Spider

    Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

    AI Cyber Attacks

    AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

    Apple Security Update

    Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

    Seized Crypto Assets

    Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

    Illegal World Cup Streaming Domains

    U.S. Seizes Nearly 400 Illegal FIFA World Cup Streaming Domains

    Operation Endgame Disrupts SocGholish

    Operation Endgame Disrupts SocGholish, StealC Malware Networks

    UAE Cybersecurity Council

    UAE Cybersecurity Council Calls for Stronger Digital Footprint Protection

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    Pink, Pink Extortion, CL-CRI-1147

    Pink Extortion Group Emerges Targeting Microsoft 365 Data

    AI-Powered Bots

    AI-Powered Bots Are Blurring the Line Between Users and Cyber Threats

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    The Cyber Express cybersecurity roundup

    The Cyber Express Weekly Roundup: FortiOS Exploits, Ransomware, Hacktivist Surge, and EU Telecom Rules

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Firewall Daily

Malicious node-ipc npm Packages Trigger New Supply Chain Security Alarm

Ashish Khaitan by Ashish Khaitan
May 15, 2026
in Firewall Daily, Cyber News, Vulnerabilities, Vulnerability News
0
node-ipc, npm package
661
SHARES
3.7k
VIEWS
Share on LinkedInShare on Twitter

A fresh supply chain attack targeting the widely used node-ipc npm package has raised new concerns across the JavaScript ecosystem after researchers uncovered multiple malicious releases containing an obfuscated credential stealer and backdoor functionality. Security analysts confirmed that several recently published package tarballs were infected with malware capable of harvesting sensitive data from developer systems and CI environments. 

The compromised versions identified as malicious include: 

  • [email protected]  
  • [email protected]  
  • [email protected]  

Researchers at Socket reported that the suspicious versions were flagged within approximately three minutes of publication, classifying the activity as malware almost immediately. Their investigation found that the malicious node-ipc releases contained heavily obfuscated code designed to fingerprint systems, collect local files, compress stolen data, encrypt the payload, and exfiltrate information through DNS-based communication channels. 

The incident marks another major security issue involving the long-running npm package, which was previously linked to one of the most discussed software supply chain incidents in the Node.js community. 

Malicious node-ipc Versions Revive Earlier Supply Chain Concerns 

The latest attack does not appear to be a typosquatting campaign. Instead, analysts believe the threat actor republished or reintroduced malicious functionality directly into legitimate node-ipc package versions. 

Researchers also pointed to earlier compromises connected to the package. In 2022, versions 10.1.1 and 10.1.2 contained geo-targeted destructive malware that checked whether systems were located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the controversial “peacenotwar” dependency associated with unauthorized file-writing behavior.

report-ad-banner

The newly discovered malware specifically affects the CommonJS implementation of the npm package. According to the technical analysis, the malicious payload exists only in the node-ipc.cjs file. The ESM wrapper, node-ipc.js, remained clean in the reviewed package artifacts and simply imported source files without containing the injected payload.

Investigators also identified an unusual forensic indicator across the infected tarballs. Every file within the reviewed archives carried the timestamp “Oct. 26, 1985.” Researchers noted that this timestamp appeared consistently across all analyzed malicious package artifacts and may help investigators identify infected caches or registry mirrors. 

Dormant Maintainer Account Allegedly Hijacked 

The investigation suggests the attack may have originated through the takeover of a dormant maintainer account. The node-ipc project reportedly has 12 npm maintainers, including an account named “atiertant,” which still retains publishing privileges despite years of inactivity. 

Independent researcher Ian Ahl, also known online as @TekDefense and CTO at Permiso, publicly identified what he described as the likely attack vector: an expired email domain linked to the maintainer account. 

According to the published timeline: 

  • Atlantis-software[.]net was originally registered on Jan. 10, 2001.  
  • The domain expired on Jan. 10, 2025, after reportedly not being renewed.  
  • An attacker allegedly re-registered the domain through NameCheap on May 7, 2026.  
  • The attacker may then have configured mail servers and initiated an npm password reset.  
  • Three malicious node-ipc versions were subsequently published on May 14, 2026, between 14:25 and 14:26 UTC.  

Researchers believe that if the npm recovery email address was still associated with the expired domain, the new domain owner could have intercepted password reset emails and regained publishing access without directly compromising the maintainer’s infrastructure. 

Credential Stealer Activated Through CommonJS Loading 

The malware embedded inside the node-ipc npm package relied on runtime execution rather than installation scripts. When applications used require(“node-ipc”), the malicious node-ipc.cjs file executed an appended obfuscated IIFE during module loading. 

The payload exposed an internal runner function named __ntRun, creating additional execution paths beyond the initial automatic activation. Analysts noted that any downstream code invoking require(“node-ipc”).__ntRun() could trigger another round of data collection and exfiltration. 

The malware used an environment variable called __ntw to distinguish execution paths. In most cases, the parent process spawned a detached child process that handled credential harvesting independently. If the child process failed, the malware executed within the current process instead. 

Extensive Data Collection Targeted Developer Environments 

The malicious node-ipc code performed extensive reconnaissance using Node.js operating system APIs. The malware gathered details including: 

  • Operating system platform  
  • System architecture  
  • Hostname  
  • Kernel version  
  • Environment variables  

The payload also attempted to execute uname -a and stored results inside uname.txt. Additional harvested files included /etc/hosts and envs.txt, which contained sorted environment variables formatted as KEY=value. 

Researchers warned that the environment collection process was not selective. Any secrets stored in environment variables—including cloud credentials, CI tokens, registry credentials, API keys, and database secrets—could be captured by the credential stealer.

The malware reportedly targeted a wide range of developer and infrastructure assets, including: 

  • AWS, Azure, GCP, OCI, and DigitalOcean configuration files  
  • SSH keys and SSH configurations  
  • Kubernetes, Docker, Helm, and Rancher credentials  
  • npm, Yarn, GitHub CLI, GitLab CLI, and Netrc credentials  
  • Terraform credential files and .tfvars data  
  • .env files and database configuration files  
  • Shell history files and database CLI histories  
  • macOS Keychain databases  
  • Firefox key database files on macOS  
  • Linux keyrings and KWallet files  
  • Microsoft Teams local storage and IndexedDB data  
  • The payload skipped files larger than 4 MiB and intentionally avoided recursively scanning node_modules and .git directories. 

DNS TXT Queries Used for Data Exfiltration 

One of the more unusual aspects of the attack involved the malware’s exfiltration mechanism. Instead of using traditional HTTP or HTTPS communication, the credential stealer relied on DNS TXT queries. 

The malware attempted to communicate with the bootstrap resolver: 

  • sh[.]azurestaticprovider[.]net:443  

Researchers described the domain as a deliberate lookalike of Microsoft’s legitimate Azure Static Web Apps infrastructure. At the time of analysis, the domain resolved to IP address 37.16[.]75.69. 

Exfiltrated data was transmitted under the DNS zone: 

  • bt[.]node[.]js  

The malware generated TXT query prefixes using: 

  • xh  
  • xd  
  • xf  

For a compressed archive of roughly 500 KiB, analysts estimated the malware could generate approximately 29,400 DNS TXT queries during exfiltration. 

The payload created compressed gzip archives from collected files, temporarily storing them in: 

  • /nt-/.tar.gz  

Although the malware attempted to delete the archive afterward using unlinkSync(), interrupted executions could leave the malicious tarballs on disk for forensic recovery. 

Impact and Indicators of Compromise 

Security researchers confirmed that the malicious node-ipc npm package versions were capable of stealing credentials and configuration files from systems loading the CommonJS entrypoint. 

The reviewed samples did not establish persistence mechanisms such as cron jobs, launchd services, or secondary malware downloads. The primary operational window focused on credential collection, archive creation, DNS exfiltration, and cleanup. 

Investigators identified several indicators of compromise tied to the malicious tarballs, including: 

Malicious Packages 

  • [email protected]  
  • [email protected]  
  • [email protected]  

File Hashes 

  • node-ipc.cjs SHA-256:
    96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144  
  • node-ipc-9.1.6.tgz SHA-256:
    449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e  
  • node-ipc-9.2.3.tgz SHA-256:
    c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea  
  • node-ipc-12.0.1.tar.gz SHA-256:
    78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981  

Security Recommendations 

Researchers advised developers and organizations to immediately remove the compromised node-ipc npm package versions and reinstall verified clean releases. They also recommended auditing package-lock files, Yarn lockfiles, build caches, and local npm caches for malicious artifacts. 

Organizations whose systems loaded the infected CommonJS versions were urged to treat local credentials and environment secrets as compromised. Recommended remediation steps included rotating SSH keys, npm tokens, cloud provider credentials, GitHub and GitLab tokens, Kubernetes credentials, Docker registry secrets, Terraform credentials, and database access keys. 

Security teams were additionally encouraged to monitor DNS traffic for TXT query patterns beginning with xh, xd, or xf under the bt[.]node[.]js domain, as well as unusual bursts of high-volume DNS TXT traffic that could indicate active exfiltration attempts involving the malicious tarballs. 

Share this:

  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Reddit (Opens in new window) Reddit
  • Share on X (Opens in new window) X
  • Share on Facebook (Opens in new window) Facebook
  • More
  • Email a link to a friend (Opens in new window) Email
  • Share on WhatsApp (Opens in new window) WhatsApp

Related

Tags: node-ipcnpm PackagepeacenotwartarballsThe Cyber ExpressThe Cyber Express Newstyposquatting
Previous Post

OpenAI Confirms Limited Impact From TanStack npm Supply Chain Attack, Urges macOS App Updates

Next Post

Fragnesia Linux Kernel Flaw Enables Root Privilege Escalation

Next Post
Fragnesia

Fragnesia Linux Kernel Flaw Enables Root Privilege Escalation

Q1 2026 Threat Reports

❮ ❯
Cyble-Vision


Follow Us On Google News

Latest Cyber News

EU-US Data Privacy Framework
Cyber News

EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

July 3, 2026
Japan cyberattacks
Cyber News

Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

July 2, 2026
Scattered Spider
Cyber News

Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

July 2, 2026
AI Cyber Attacks
Cyber News

AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

July 1, 2026

Categories

Web Stories

Do This on Telegram, Your Bank Account Will Become Zero
Do This on Telegram, Your Bank Account Will Become Zero
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
Cricket World Cup Ticketing Systems Under Cybersecurity
Cricket World Cup Ticketing Systems Under Cybersecurity
Cyber Threats and Online Ticket Scams During the NBA Finals
Cyber Threats and Online Ticket Scams During the NBA Finals
Biometric Data Security: Protecting Sensitive Information
Biometric Data Security: Protecting Sensitive Information

About

The Cyber Express

#1 Trending Cybersecurity News and Magazine

The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

 

Contact

For editorial queries: [email protected]

For marketing and Sales: [email protected]

 

Quick Links

  • About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
10080 North Wolfe Road, Suite SW3-200, Cupertino, CA, US 95014

 

India Office:

Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063

  • Privacy Statement
  • Terms of Use
  • Write For Us

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Magazine
  • Firewall Daily
  • Essentials
    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00
Do This on Telegram, Your Bank Account Will Become Zero If You Install the iOS 18 Beta, Your iPhone Could Be Hacked Cricket World Cup Ticketing Systems Under Cybersecurity Cyber Threats and Online Ticket Scams During the NBA Finals Biometric Data Security: Protecting Sensitive Information