Compromised npm Package Targets Developer Environments
Cybersecurity researchers have identified malicious activity in three recently published versions of the popular Node IPC library, a widely used npm package for inter-process communication. The affected versions node ipc 9.1.6, 9.2.3, and 12.0.1 contain an obfuscated stealer and backdoor that activates when the package is loaded at runtime. The malicious code was published by an account named “atiertant” with no prior connection to the package’s original maintainer, appearing after a 21 month gap since the last legitimate update.
The compromised package versions avoid traditional npm lifecycle hooks like preinstall or postinstall scripts, instead embedding the payload as an Immediately Invoked Function Expression. This technique makes detection more challenging for standard security scanners that monitor package installation behavior.
Data Theft and Exfiltration Mechanism
Once triggered, the backdoor performs extensive environment fingerprinting and enumerates local files. It targets a broad range of developer secrets across 90 credential categories, including configuration files for Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI settings, Terraform state files, database passwords, and shell history. The stolen data is compressed into a GZIP archive and transmitted to an external command and control server hosted at “sh.azurestaticprovider.net”.
This supply chain attack demonstrates how dormant but high download open source packages can be weaponized to target the software development lifecycle itself. Developers who have recently updated the Node IPC package are advised to rotate all cloud and infrastructure credentials immediately and audit their systems for signs of compromise.
Source: The Hacker News
