Cybersecurity researchers have uncovered malicious code embedded in multiple versions of the widely used Node.js package “node-ipc,” raising fresh concerns over software supply chain attacks targeting developers and enterprise environments. Security firms Socket and StepSecurity confirmed that three recently published versions of the npm package contained obfuscated stealer and backdoor functionality capable of harvesting sensitive credentials and cloud secrets from infected systems.
The compromised versions identified by researchers include node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. According to analysis, the malicious payload activates automatically whenever the package is loaded during runtime, without relying on traditional npm lifecycle hooks such as install or postinstall scripts. Instead, attackers appended an obfuscated malicious function directly into the package’s core “node-ipc.cjs” file, allowing the malware to execute silently whenever applications call the package.
Researchers revealed that the malware is designed to steal a broad range of developer and infrastructure secrets, including AWS, Google Cloud, and Microsoft Azure credentials, Kubernetes tokens, SSH keys, Terraform states, GitHub CLI configurations, shell histories, database passwords, and even AI-related developer settings from tools like Claude AI and Kiro IDE. The stolen data is compressed into encrypted archives before being transmitted to attacker-controlled infrastructure.
One of the most alarming discoveries involved advanced evasion and targeting mechanisms built into the malware. StepSecurity researchers found that version 12.0.1 performs a SHA-256 fingerprint check against specific system paths before activating, suggesting the attackers may have been targeting a particular developer or organization. Meanwhile, the 9.x malicious versions reportedly execute on any environment loading the package, increasing the broader exposure risk for developers and enterprises using the dependency.
The malware also incorporates sophisticated anti-detection techniques. Besides using HTTPS-based exfiltration channels, the payload reportedly sends stolen information through DNS TXT record queries after overriding local DNS resolvers with public services such as Google DNS. Researchers warned that this approach allows attackers to bypass traditional enterprise DNS logging and monitoring systems, making detection significantly harder for security teams.
Investigators noted that the malicious versions were published by an npm account named “atiertant,” which appeared in the package maintainer list despite having no prior publishing history associated with node-ipc. The previous legitimate update to the package occurred in August 2024, leading researchers to suspect either a compromised maintainer account or unauthorized access added specifically for publishing the malicious releases.
The incident has reignited concerns around open-source software supply chain security, especially within the JavaScript and npm ecosystems where third-party dependencies are deeply embedded into modern applications. Security experts warned that attackers are increasingly targeting developer tools, CI/CD pipelines, and package registries to gain access to enterprise credentials and cloud infrastructure. Community discussions on cybersecurity forums and social platforms also highlighted growing concerns about implicit trust in third-party packages and dependency management practices.
Researchers are advising developers and organizations to immediately remove the compromised node-ipc versions and downgrade to known safe releases such as 9.2.1 or 12.0.0. Security teams have also been urged to rotate potentially exposed credentials, review cloud access logs, audit CI/CD pipelines, and block outbound connections to the identified command-and-control domains associated with the attack.
