Attack Details and Vector
A widely used JavaScript inter-process communication library has been compromised for the second time in four years. Security researchers at Socket and Stepsecurity have confirmed that three newly published versions of the node-ipc npm package contain obfuscated stealer and backdoor payloads. The affected versions are 9.1.6, 9.2.3, and 12.0.1. The package, which handles inter-process communication in Node.js applications, sees over 822,000 weekly downloads from developers worldwide.
The attack vector appears to be a dormant maintainer account takeover. Security researcher Ian Ahl identified that the account of an npm maintainer named atiertant had been inactive for years. The recovery email domain atlantis-software.net expired in January 2025 and was re-registered by an attacker in May 2026 through NameCheap. This allowed the attacker to trigger a standard npm password reset and gain publish rights without ever accessing the original maintainer’s systems.
Malicious Payload and Exfiltration Method
The malicious code is embedded only in the CommonJS entrypoint file named node-ipc.cjs, appended as a single obfuscated Immediately Invoked Function Expression. The ESM module remains clean, meaning only developers using require(“node-ipc”) are at risk. Once triggered on module load through setImmediate, the payload forks a detached child process using an environment variable flag and begins collecting sensitive data.
The malware fingerprints the host by gathering operating system metadata including platform, architecture, hostname, and uname output. It then harvests credentials and configuration files from over 100 target patterns, covering major cloud platforms like AWS, Azure, and GCP, as well as Kubernetes, Docker, SSH keys, npm tokens, GitHub and GitLab credentials, Terraform secrets, environment files, shell histories, and macOS Keychain databases. The collected data is archived into a compressed gzip tarball and exfiltrated using DNS TXT queries rather than HTTP, routing through a fake Azure lookalike domain to avoid detection.
Source: Cyber Security News
