Sophisticated Supply Chain Attack Targets Popular npm Package *node-ipc*
A widely used npm package, node-ipc downloaded over 822,000 times weekly has been weaponized in a supply chain attack, exposing JavaScript developers to credential theft and backdoor access. Security researchers at Socket identified malicious versions (9.1.6, 9.2.3, and 12.0.1) of the package, which were published on May 14, 2026, shortly before detection.
Unlike typical npm attacks, this campaign embedded malware directly into the package’s CommonJS entry point (node-ipc.cjs), executing automatically upon requiring the library. The ESM version remained unaffected, limiting exposure to applications using require("node-ipc").
The obfuscated malware conducts system fingerprinting, harvesting sensitive data including cloud credentials (AWS, Azure, GCP, OCI), SSH keys, Git tokens, Kubernetes/Docker configs, .env files, and CI/CD secrets before compressing and encrypting it into a .tar.gz archive at /tmp/nt-<pid>/. Exfiltration occurs via covert DNS TXT queries to attacker-controlled domains (sh.azurestaticprovider[.]net, bt.node[.]js), evading standard network monitoring by splitting data into small chunks.
Investigators traced the attack to a hijacked npm maintainer account (atiertant), where an expired email domain allowed credential resets without breaching npm’s infrastructure. This tactic underscores a growing risk: dormant maintainer accounts as silent entry points for supply chain attacks.
The incident follows node-ipc’s prior involvement in a 2022 geo-targeted malware campaign, raising concerns about repeated compromise or deliberate reintroduction. Security teams are advised to monitor DNS logs for unusual TXT query bursts and block listed domains.
Indicators of Compromise (IOCs):
- Malicious packages: node-ipc@9.1.6, 9.2.3, 12.0.1
- Exfiltration domains: sh.azurestaticprovider[.]net, bt.node[.]js
- DNS patterns: xh., xd., *xf. subdomains
- Temp file path:
/tmp/nt-<pid>/<machineHex>.tar.gz - Anomalous timestamp: October 26, 1985 (file artifacts)
Source: https://cyberpress.org/822k-download-node-ipc-breach/
node-ipc TPRM report: https://www.rankiteo.com/company/socketinc
AWS TPRM report: https://www.rankiteo.com/company/aws-healthcare-lifescience
"id": "awssoc1778833973",
"linkid": "aws-healthcare-lifescience, socketinc",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'JavaScript developers and '
'applications using *node-ipc*',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'npm package *node-ipc*',
'size': '822,000 weekly downloads',
'type': 'Software Package'}],
'attack_vector': 'Hijacked npm maintainer account',
'data_breach': {'data_encryption': 'Yes (compressed and encrypted into '
'.tar.gz)',
'data_exfiltration': 'Yes (via covert DNS TXT queries)',
'file_types_exposed': ['.env', 'config files', 'SSH keys'],
'personally_identifiable_information': 'Potential '
'(credentials, tokens)',
'sensitivity_of_data': 'High (credentials, secrets, PII)',
'type_of_data_compromised': ['Cloud credentials',
'SSH keys',
'Git tokens',
'Kubernetes/Docker configs',
'.env files',
'CI/CD secrets']},
'date_detected': '2026-05-14',
'description': 'A widely used npm package, *node-ipc*, downloaded over '
'822,000 times weekly, has been weaponized in a supply chain '
'attack, exposing JavaScript developers to credential theft '
'and backdoor access. Malicious versions (9.1.6, 9.2.3, and '
'12.0.1) were published on May 14, 2026, embedding malware in '
'the CommonJS entry point. The malware harvests sensitive data '
'(cloud credentials, SSH keys, Git tokens, etc.) and '
'exfiltrates it via covert DNS TXT queries to '
'attacker-controlled domains.',
'impact': {'brand_reputation_impact': 'High (repeated compromise of '
'*node-ipc* package)',
'data_compromised': 'Cloud credentials (AWS, Azure, GCP, OCI), SSH '
'keys, Git tokens, Kubernetes/Docker configs, '
'.env files, CI/CD secrets',
'identity_theft_risk': 'High (exfiltration of PII and credentials)',
'operational_impact': 'Potential unauthorized access to cloud '
'environments and CI/CD pipelines',
'systems_affected': 'JavaScript applications using '
'`require("node-ipc")`'},
'initial_access_broker': {'backdoors_established': 'Malware embedded in '
'CommonJS entry point',
'entry_point': 'Hijacked npm maintainer account '
'(*atiertant*)',
'high_value_targets': 'Cloud credentials, CI/CD '
'secrets, SSH keys'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Dormant maintainer accounts pose significant supply chain '
'risks; expired email domains can be exploited for '
'credential resets. ESM versions of packages may be safer '
'than CommonJS.',
'motivation': 'Credential theft, backdoor access, data exfiltration',
'post_incident_analysis': {'corrective_actions': ['Enforce MFA for npm '
'maintainer accounts',
'Monitor for dormant '
'accounts with expired '
'email domains',
'Audit package entry points '
'for malicious code'],
'root_causes': ['Hijacked npm maintainer account '
'due to expired email domain',
'Lack of multi-factor '
'authentication (MFA) for '
'maintainer account',
'Automatic execution of CommonJS '
'entry point']},
'recommendations': ['Monitor DNS logs for unusual TXT query bursts',
'Block listed domains (*sh.azurestaticprovider[.]net*, '
'*bt.node[.]js*)',
'Avoid malicious versions of *node-ipc* (9.1.6, 9.2.3, '
'12.0.1)',
'Use ESM version instead of CommonJS where possible',
'Rotate exposed credentials and secrets',
'Audit maintainer accounts for dormant or expired email '
'domains'],
'references': [{'source': 'Socket Security Research'}],
'response': {'containment_measures': 'Monitor DNS logs for unusual TXT query '
'bursts, block listed domains',
'enhanced_monitoring': 'Monitor DNS logs for anomalous TXT '
'queries',
'remediation_measures': 'Avoid malicious versions (9.1.6, 9.2.3, '
'12.0.1), use ESM version instead of '
'CommonJS',
'third_party_assistance': 'Security researchers at Socket'},
'title': 'Sophisticated Supply Chain Attack Targets Popular npm Package '
'*node-ipc*',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Expired email domain allowing credential reset'}