Critical node-ipc npm Package Supply Chain Attack Lets Attackers Inject Malware
Key Takeaways A critical supply chain attack has compromised the widely used node-ipc npm package. Malicious code, including stealer and backdoor payloads, was found in versions 9.1.6, 9.2.3, and...
Key Takeaways
- A critical supply chain attack has compromised the widely used
node-ipcnpm package. - Malicious code, including stealer and backdoor payloads, was found in versions 9.1.6, 9.2.3, and 12.0.1.
- The attack vector involved the takeover of an inactive maintainer’s npm account through an expired domain’s re-registration.
- The malware fingerprints systems, harvests sensitive credentials and configuration files, and exfiltrates data via DNS TXT queries.
- Developers using the CommonJS entrypoint (
require("node-ipc")) are at risk, and immediate action is required to mitigate compromise.
The node-ipc JavaScript inter-process communication library, a dependency with over 822,000 weekly downloads, has once again been targeted in a significant supply chain attack. Security firms Socket and Stepsecurity have confirmed that three recently released versions of the package contain sophisticated stealer and backdoor payloads. This incident marks the second major compromise of node-ipc since 2022.
Table Of Content
The specific versions identified as malicious are [email protected], [email protected], and [email protected].
Attack Vector: Dormant Account Takeover
Security researcher Ian Ahl (@TekDefense), CTO at Permiso, pinpointed the probable method of compromise as the takeover of a dormant maintainer account. Ahl’s analysis, shared on May 14, 2026, indicated a domain takeover strategy:
Looking like domain takeover to get this one: Domain expired 2025-01-10, Attacker re-registered it 2026-05-07 via NameCheap.
2001-01-10 atlantis-software[.]net registered (legitimate, OVH)
2025-01-10 Domain expires (not renewed)
2026-05-07 Attacker re-registers domain via…— 1aN0rmus (@TekDefense) May 14, 2026
The compromised account, “atiertant,” was one of twelve listed npm maintainers for node-ipc and had been inactive for several years. Attackers reportedly acquired the recovery email domain, atlantis-software[.]net, after it expired. This allowed them to initiate a standard npm password reset, thereby gaining silent publishing rights without needing to access the original maintainer’s infrastructure, as detailed by Socket security.
Malicious Payload and Exfiltration
The malicious code is specifically embedded within node-ipc.cjs, the CommonJS entrypoint, as an obfuscated Immediately Invoked Function Expression (IIFE). Importantly, the ESM (ECMAScript Module) remains clean, meaning developers utilizing require("node-ipc") are vulnerable, while those exclusively using pure ESM might not be directly impacted.
Upon module load, the payload activates via setImmediate(), spawning a detached child process with the __ntw=1 environment variable flag. This process then executes a multi-stage attack:
- Host Fingerprinting: It collects OS metadata, including platform, architecture, hostname, and the output of
uname -a. - Credential Harvesting: The malware targets over 100 patterns to collect credentials and configuration files. This includes sensitive data related to AWS, Azure, GCP, Kubernetes, Docker, SSH keys, npm tokens, GitHub/GitLab credentials, Terraform secrets,
.envfiles, shell histories, and macOS Keychain databases. - Data Archiving: Collected data is compressed into a gzip tarball, saved to
<tmp>/nt-<pid>/<machineHex>.tar.gz. - DNS Exfiltration: Data is exfiltrated not via HTTP, but through DNS TXT queries. A fake Azure-like domain,
sh[.]azurestaticprovider[.]net, is used, routing data through the zonebt[.]node[.]jswith query prefixes likexh,xd, andxf. A 500 KiB compressed archive can generate approximately 29,400 DNS TXT queries, making such bursts a strong detection indicator.
A notable forensic detail is that every file within the malicious tarballs carries a timestamp of October 26, 1985, a deliberate artifact that can help identify cached or mirrored copies.
Indicators of Compromise (IOCs)
Organizations should be aware of the following indicators:
| Type | Indicator |
|---|---|
| Malicious packages | [email protected], [email protected], [email protected] |
| node-ipc.cjs SHA-256 | 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 |
| node-ipc-9.1.6.tgz SHA-256 | 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e |
| node-ipc-9.2.3.tgz SHA-256 | c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea |
| node-ipc-12.0.1.tar.gz SHA-256 | 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 |
| C2 bootstrap domain | sh[.]azurestaticprovider[.]net |
| C2 IP | 37.16[.]75.69 |
| Exfiltration DNS zone | bt[.]node[.]js |
| Runtime env variable | __ntw=1 |
| Temp archive pattern | <tmp>/nt-<pid>/<machineHex>.tar.gz |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Immediate Removal: Developers must immediately remove all instances of
[email protected],[email protected], and[email protected]from their projects. - Audit Lock Files: Thoroughly audit
package-lock.json,yarn.lock, and local npm caches to ensure no affected versions remain. - Credential Rotation: Any environment variables, SSH keys, cloud credentials, or API tokens present on systems that loaded the CommonJS entrypoint of the malicious package should be considered compromised and rotated without delay.
- Network Monitoring: Security teams should actively hunt for DNS TXT query bursts directed to
bt[.]node[.]jsin network logs. - Block Malicious Domains: Block the C2 bootstrap resolver domain,
sh[.]azurestaticprovider[.]net, at the network perimeter.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.