Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical node-ipc npm Package Supply Chain Attack Lets Attackers Inject Malware
CyberSecurity News

Critical node-ipc npm Package Supply Chain Attack Lets Attackers Inject Malware

Key Takeaways A critical supply chain attack has compromised the widely used node-ipc npm package. Malicious code, including stealer and backdoor payloads, was found in versions 9.1.6, 9.2.3, and...

Jennifer sherman
Jennifer sherman
May 14, 2026 3 Min Read
48 0

Key Takeaways

  • A critical supply chain attack has compromised the widely used node-ipc npm package.
  • Malicious code, including stealer and backdoor payloads, was found in versions 9.1.6, 9.2.3, and 12.0.1.
  • The attack vector involved the takeover of an inactive maintainer’s npm account through an expired domain’s re-registration.
  • The malware fingerprints systems, harvests sensitive credentials and configuration files, and exfiltrates data via DNS TXT queries.
  • Developers using the CommonJS entrypoint (require("node-ipc")) are at risk, and immediate action is required to mitigate compromise.

The node-ipc JavaScript inter-process communication library, a dependency with over 822,000 weekly downloads, has once again been targeted in a significant supply chain attack. Security firms Socket and Stepsecurity have confirmed that three recently released versions of the package contain sophisticated stealer and backdoor payloads. This incident marks the second major compromise of node-ipc since 2022.

Table Of Content

  • Key Takeaways
  • Attack Vector: Dormant Account Takeover
  • Malicious Payload and Exfiltration
  • Indicators of Compromise (IOCs)
  • What You Should Do

The specific versions identified as malicious are [email protected], [email protected], and [email protected].

Attack Vector: Dormant Account Takeover

Security researcher Ian Ahl (@TekDefense), CTO at Permiso, pinpointed the probable method of compromise as the takeover of a dormant maintainer account. Ahl’s analysis, shared on May 14, 2026, indicated a domain takeover strategy:

Looking like domain takeover to get this one: Domain expired 2025-01-10, Attacker re-registered it 2026-05-07 via NameCheap.

2001-01-10 atlantis-software[.]net registered (legitimate, OVH)
2025-01-10 Domain expires (not renewed)
2026-05-07 Attacker re-registers domain via…

— 1aN0rmus (@TekDefense) May 14, 2026

The compromised account, “atiertant,” was one of twelve listed npm maintainers for node-ipc and had been inactive for several years. Attackers reportedly acquired the recovery email domain, atlantis-software[.]net, after it expired. This allowed them to initiate a standard npm password reset, thereby gaining silent publishing rights without needing to access the original maintainer’s infrastructure, as detailed by Socket security.

Malicious Payload and Exfiltration

The malicious code is specifically embedded within node-ipc.cjs, the CommonJS entrypoint, as an obfuscated Immediately Invoked Function Expression (IIFE). Importantly, the ESM (ECMAScript Module) remains clean, meaning developers utilizing require("node-ipc") are vulnerable, while those exclusively using pure ESM might not be directly impacted.

Upon module load, the payload activates via setImmediate(), spawning a detached child process with the __ntw=1 environment variable flag. This process then executes a multi-stage attack:

  • Host Fingerprinting: It collects OS metadata, including platform, architecture, hostname, and the output of uname -a.
  • Credential Harvesting: The malware targets over 100 patterns to collect credentials and configuration files. This includes sensitive data related to AWS, Azure, GCP, Kubernetes, Docker, SSH keys, npm tokens, GitHub/GitLab credentials, Terraform secrets, .env files, shell histories, and macOS Keychain databases.
  • Data Archiving: Collected data is compressed into a gzip tarball, saved to <tmp>/nt-<pid>/<machineHex>.tar.gz.
  • DNS Exfiltration: Data is exfiltrated not via HTTP, but through DNS TXT queries. A fake Azure-like domain, sh[.]azurestaticprovider[.]net, is used, routing data through the zone bt[.]node[.]js with query prefixes like xh, xd, and xf. A 500 KiB compressed archive can generate approximately 29,400 DNS TXT queries, making such bursts a strong detection indicator.

A notable forensic detail is that every file within the malicious tarballs carries a timestamp of October 26, 1985, a deliberate artifact that can help identify cached or mirrored copies.

Indicators of Compromise (IOCs)

Organizations should be aware of the following indicators:

Type Indicator
Malicious packages [email protected], [email protected], [email protected]
node-ipc.cjs SHA-256 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
node-ipc-9.1.6.tgz SHA-256 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
node-ipc-9.2.3.tgz SHA-256 c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
node-ipc-12.0.1.tar.gz SHA-256 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
C2 bootstrap domain sh[.]azurestaticprovider[.]net
C2 IP 37.16[.]75.69
Exfiltration DNS zone bt[.]node[.]js
Runtime env variable __ntw=1
Temp archive pattern <tmp>/nt-<pid>/<machineHex>.tar.gz

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Immediate Removal: Developers must immediately remove all instances of [email protected], [email protected], and [email protected] from their projects.
  • Audit Lock Files: Thoroughly audit package-lock.json, yarn.lock, and local npm caches to ensure no affected versions remain.
  • Credential Rotation: Any environment variables, SSH keys, cloud credentials, or API tokens present on systems that loaded the CommonJS entrypoint of the malicious package should be considered compromised and rotated without delay.
  • Network Monitoring: Security teams should actively hunt for DNS TXT query bursts directed to bt[.]node[.]js in network logs.
  • Block Malicious Domains: Block the C2 bootstrap resolver domain, sh[.]azurestaticprovider[.]net, at the network perimeter.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

TeamPCP and BreachForums Offer $1,000 for Supply Chain Attacks

Next Post

New Malware Framework Grants Screen Control, Browser Access, UAC Bypass

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us