An unidentified attacker compromised the npm account of an inactive maintainer called ‘atiertant’ and pushed malware into three versions of node-ipc, a Node.js inter-process communication package with more than 690,000 weekly downloads. The poisoned releases, 9.1.6, 9.2.3, and 12.0.1, were confirmed malicious by Socket, Ox Security, and Upwind.
The malware hides inside node-ipc.cjs, the package’s CommonJS entrypoint, and executes automatically when applications load. It fingerprints infected systems, sweeps environment variables and local files, then exfiltrates compressed results through DNS TXT queries rather than HTTP traffic. Socket calculates a 500 KB archive generates roughly 29,400 DNS TXT requests, enough to blend into normal DNS activity.
Targeted credentials include AWS, Azure, GCP, OCI, DigitalOcean, and other cloud credentials; SSH keys and configs; Kubernetes, Docker, Helm, and Terraform credentials; npm, GitHub, GitLab, and Git CLI tokens; .env files and database passwords; shell histories and CI/CD secrets; macOS Keychain files and Linux keyrings; Firefox profile and key database files (macOS); and Microsoft Teams local storage.
This isn’t node-ipc’s first supply-chain controversy. The package’s own maintainer published data-wiping versions in March 2022 targeting Russian and Belarusian systems. It kept 690,000-plus weekly downloads regardless.
The malware doesn’t establish persistence, caps collection at files under 4 MiB, and deletes its temporary tar.gz archives after exfiltration. Developers running the affected versions should remove them immediately, rotate all exposed credentials, and inspect lockfiles and npm caches.
James Okafor