Malicious npm Supply Chain Attack Targets *node-ipc* with Credential-Stealing Malware
A new supply chain attack has compromised the widely used node-ipc npm package, injecting credential-stealing malware into three recent versions: 9.1.6, 9.2.3, and 12.0.1. The node-ipc module, which facilitates inter-process communication in Node.js applications, records over 690,000 weekly downloads despite a prior 2022 incident where its maintainer weaponized versions to overwrite data on Russian and Belarusian systems in protest of the Ukraine invasion.
Security firms Socket, Ox Security, and Upwind identified the malicious code embedded in the package’s CommonJS entrypoint (node-ipc.cjs), which executes automatically upon application load. The heavily obfuscated malware fingerprints infected systems, harvests sensitive data, and exfiltrates it via DNS TXT queries a technique designed to evade detection by blending into normal network traffic.
The stolen data includes:
- Cloud credentials (AWS, Azure, GCP, OCI, DigitalOcean)
- SSH keys and configs
- Kubernetes, Docker, Helm, and Terraform credentials
- npm, GitHub, GitLab, and Git CLI tokens
- .env files and database credentials
- Shell histories and CI/CD secrets
- macOS Keychain and Linux keyring files
- Firefox profile data (macOS)
- Microsoft Teams local storage
To minimize detection, the malware avoids scanning .git and node_modules directories, skips files larger than 4 MiB, and deletes temporary archives post-exfiltration. Data is transmitted to a fake Azure-themed domain (sh[.]azurestaticprovider[.]net:443) and relayed to bt[.]node[.]js using query prefixes like xh, xd, and xf. Researchers estimate that exfiltrating a 500 KB archive could generate 29,400 DNS TXT requests.
The attack appears to stem from the compromise of an inactive maintainer’s account (atiertant), with no evidence of persistence or secondary payloads suggesting a focus on rapid credential theft. The malware does not overwrite files, unlike the 2022 protest-driven versions, indicating a shift in attacker motives. Developers are advised to remove affected versions, rotate exposed credentials, and audit lockfiles and npm caches.
Socket cybersecurity rating report: https://www.rankiteo.com/company/socketinc
"id": "SOC1778869612",
"linkid": "socketinc",
"type": "Cyber Attack",
"date": "3/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software Development, IT, Cloud Services',
'location': 'Global',
'name': 'node-ipc npm package users',
'size': 'Unknown (690,000 weekly downloads)',
'type': 'Open-source software users'}],
'attack_vector': 'Compromised npm package (node-ipc)',
'customer_advisories': 'Public advisories to node-ipc users',
'data_breach': {'data_exfiltration': 'Yes (via DNS TXT queries to '
'sh[.]azurestaticprovider[.]net:443)',
'personally_identifiable_information': 'Potential (Firefox '
'profile data, macOS '
'Keychain)',
'sensitivity_of_data': 'High (credentials, PII, secrets)',
'type_of_data_compromised': ['Cloud credentials',
'SSH keys',
'Kubernetes/Docker/Helm/Terraform '
'credentials',
'npm/GitHub/GitLab/Git CLI '
'tokens',
'.env files',
'Database credentials',
'Shell histories',
'CI/CD secrets',
'macOS Keychain/Linux keyring '
'files',
'Firefox profile data',
'Microsoft Teams local storage']},
'description': 'A new supply chain attack has compromised the widely used '
'*node-ipc* npm package, injecting credential-stealing malware '
'into three recent versions: *9.1.6*, *9.2.3*, and *12.0.1*. '
'The malware fingerprints infected systems, harvests sensitive '
'data, and exfiltrates it via DNS TXT queries to evade '
'detection.',
'impact': {'brand_reputation_impact': 'Negative impact on trust in '
'open-source npm packages',
'data_compromised': 'Cloud credentials, SSH keys, '
'Kubernetes/Docker/Helm/Terraform credentials, '
'npm/GitHub/GitLab/Git CLI tokens, .env files, '
'database credentials, shell histories, CI/CD '
'secrets, macOS Keychain/Linux keyring files, '
'Firefox profile data, Microsoft Teams local '
'storage',
'identity_theft_risk': 'High (exposure of PII and credentials)',
'operational_impact': 'Potential unauthorized access to cloud '
'environments, CI/CD pipelines, and source '
'code repositories',
'systems_affected': 'Node.js applications using node-ipc versions '
'9.1.6, 9.2.3, or 12.0.1'},
'initial_access_broker': {'entry_point': 'Compromised maintainer account '
'(atiertant)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for stricter maintainer account security, dependency '
'audits, and monitoring of open-source supply chains.',
'motivation': 'Credential theft',
'post_incident_analysis': {'corrective_actions': 'Enforce MFA for '
'maintainers, implement '
'dependency scanning, '
'improve npm package '
'security policies',
'root_causes': 'Compromised maintainer account, '
'lack of multi-factor '
'authentication, insufficient '
'dependency audits'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Remove affected node-ipc versions',
'Rotate all exposed credentials',
'Audit lockfiles and npm caches',
'Monitor DNS TXT queries for exfiltration',
'Implement dependency scanning tools'],
'references': [{'source': 'Socket, Ox Security, Upwind'}],
'response': {'communication_strategy': 'Public advisories to developers',
'containment_measures': 'Removal of affected node-ipc versions, '
'credential rotation, lockfile and npm '
'cache audits',
'enhanced_monitoring': 'Monitor DNS TXT queries for exfiltration '
'attempts',
'remediation_measures': 'Rotate exposed credentials, audit '
'dependencies, monitor for unauthorized '
'access',
'third_party_assistance': 'Socket, Ox Security, Upwind'},
'stakeholder_advisories': 'Developers and organizations using node-ipc',
'title': 'Malicious npm Supply Chain Attack Targets node-ipc with '
'Credential-Stealing Malware',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Compromised maintainer account (atiertant)'}