A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have confirmed that three newly published versions of node-ipc, a package with over 822,000 weekly downloads, contain obfuscated stealer and backdoor payloads, marking the second major supply chain compromise of this package since 2022.
The affected versions are node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1.
node-ipc npm Package Hacked
Security researcher Ian Ahl (@TekDefense), CTO at Permiso, identified the likely attack vector as a dormant maintainer account takeover.
Looking like domain takeover to get this one: Domain expired 2025-01-10, Attacker re-registered it 2026-05-07 via NameCheap.
2001-01-10 atlantis-software[.]net registered (legitimate, OVH)
2025-01-10 Domain expires (not renewed)
2026-05-07 Attacker re-registers domain via…— 1aN0rmus (@TekDefense) May 14, 2026
The account “atiertant,” one of twelve listed npm maintainers, had been inactive for years.
According to Socket security, attackers appear to have acquired the account’s recovery email domain atlantis-software[.]net after it expired, allowing them to trigger a standard npm password reset and silently gain publish rights without ever touching the original maintainer’s infrastructure.
The malicious payload is embedded exclusively in node-ipc.cjs, the CommonJS entrypoint, appended as a single obfuscated IIFE.
The ESM module remains clean. This means developers using require(“node-ipc”) are at risk, while pure ESM consumers may not be directly affected.
Once triggered via setImmediate() on module load, the payload forks a detached child process using the __ntw=1 environment variable flag, then proceeds to:
Fingerprint the host using OS metadata, including platform, architecture, hostname, and uname -a output
Harvest credentials and configuration files from over 100 target patterns, covering AWS, Azure, GCP, Kubernetes, Docker, SSH keys, npm tokens, GitHub/GitLab credentials, Terraform secrets, .env files, shell histories, and macOS Keychain databases
Archive collected data into a gzip tarball written to <tmp>/nt-<pid>/<machineHex>.tar.gz
Exfiltrate via DNS TXT queries — not HTTP — using a fake Azure lookalike domain, sh[.]azurestaticprovider[.]net, routing data through the zone bt[.]node[.]js with query prefixes xh, xd, and xf
A 500 KiB compressed archive can generate approximately 29,400 DNS TXT queries, making high-volume TXT query bursts a strong detection signal.
Attack Chain (Source: Stepsecurity)
Notably, every file in the malicious tarballs carries a forensic timestamp of October 26, 1985, a deliberate artifact useful for identifying cached or mirrored copies.
Indicators of Compromise (IOCs)
TypeIndicatorMalicious packagesnode-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1node-ipc.cjs SHA-25696097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144node-ipc-9.1.6.tgz SHA-256449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75enode-ipc-9.2.3.tgz SHA-256c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9eanode-ipc-12.0.1.tar.gz SHA-25678a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981C2 bootstrap domainsh[.]azurestaticprovider[.]netC2 IP37.16[.]75.69Exfiltration DNS zonebt[.]node[.]jsRuntime env variable__ntw=1Temp archive pattern<tmp>/nt-<pid>/<machineHex>.tar.gzNote: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Developers should immediately remove the three affected versions and audit package-lock.json, yarn.lock, and local npm caches.
Any environment variables, SSH keys, cloud credentials, or API tokens present on a system that loaded the CommonJS entrypoint should be treated as fully compromised and rotated without delay.
Security teams should hunt for DNS TXT query bursts to bt[.]node[.]js and block the bootstrap resolver domain.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack appeared first on Cyber Security News.
