- What: Three malicious versions of the npm package
node-ipc(9.1.6, 9.2.3, 12.0.1) contain an obfuscated stealer that executes on everyrequire('node-ipc')call via an IIFE, bypassing lifecycle hook monitoring. - Impact: 90 categories of developer credentials stolen, including AWS/GCP/Azure keys, SSH keys, Kubernetes tokens, GitHub CLI configs, and shell history, exfiltrated to
sh.azurestaticprovider[.]netvia HTTPS and DNS tunneling. - Fix / mitigation: Remove versions 9.1.6, 9.2.3, and 12.0.1 immediately; pin to
9.2.1or12.0.0(confirmed clean); rotate all credentials accessible on affected systems. - Who's at risk: Any developer or CI/CD pipeline that installed one of the three malicious versions; version 12.0.1 is additionally fingerprint-gated against a specific high-value target.
Three versions of the widely-used node-ipc npm package have been confirmed as malicious, containing sophisticated stealer malware designed to harvest developer credentials and cloud secrets. Security researchers from Socket and StepSecurity identified versions 9.1.6, 9.2.3, and 12.0.1 as compromised, with obfuscated backdoor functionality capable of fingerprinting systems, enumerating local files, and exfiltrating data to attacker-controlled infrastructure.
The compromised versions were published by an account named 'atiertant' that appears in the package's maintainer list but has no prior publishing history with node-ipc. The package's legitimate maintainer 'riaevangelist' last updated node-ipc in August 2024, making the 21-month gap before these malicious versions appeared highly suspicious. This timeline suggests either a fresh credential compromise or the deliberate addition of a malicious maintainer account specifically to distribute the backdoored code.
Comprehensive Credential Harvesting Operation
The malware targets 90 distinct categories of developer and cloud credentials, representing a comprehensive attack surface against modern development environments. The scope includes Amazon Web Services, Google Cloud Platform, and Microsoft Azure credentials, along with SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI settings, Kiro IDE configurations, Terraform state files, database passwords, and shell history. Once harvested, the stolen data is compressed into a GZIP archive and transmitted to the command-and-control domain sh.azurestaticprovider[.]net, which masquerades as legitimate Azure infrastructure.
Unlike typical npm supply chain attacks, this malware does not rely on preinstall, install, or postinstall lifecycle hooks. Instead, the malicious payload is appended as an Immediately Invoked Function Expression (IIFE) to the end of node-ipc.cjs, causing it to execute unconditionally on every require('node-ipc') call. This technique bypasses security tools that specifically monitor npm lifecycle scripts.
Targeted Attack with Fingerprint Gating
Version 12.0.1 incorporates a sophisticated targeting mechanism that distinguishes this attack from typical opportunistic malware campaigns. The payload performs a SHA-256 fingerprint check of the primary module path and compares it against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code. According to StepSecurity researcher Sai Likhith, this means version 12.0.1 remains completely inert on any machine whose primary module path does not hash to the pre-computed target value. The attacker knew exactly which project or developer was being targeted and calculated the hash of their entry point before publishing the malicious version.
The 9.x versions lack this fingerprint gate and execute the full payload on any system that loads them, suggesting a broader targeting strategy for those releases. This dual approach indicates the attackers deployed both precision-targeted and wide-net campaigns simultaneously, maximizing their potential victim pool while also pursuing specific high-value targets.
Dual Exfiltration Channels with DNS Tunneling
The malware implements two independent exfiltration channels to ensure data theft even if one method is blocked. The primary channel uses HTTPS POST requests to transmit the compressed archive of stolen credentials to the fake Azure domain. The secondary channel employs a sophisticated DNS tunneling technique that encodes chunks of the stolen data archive as DNS TXT record queries.
To evade detection, the malware overrides the system's DNS resolver with Google Public DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1), bypassing local DNS-based security controls. After initially resolving the C2 domain using these public resolvers, the malware then re-targets all exfiltration queries directly at the C2 IP address. This direct-to-C2 DNS sink technique is particularly evasive because the exfiltration queries never touch public DNS resolvers, leaving no observable activity in public DNS logs. Organizations relying solely on DNS logging through corporate resolvers would not detect this traffic.
In March 2022, the legitimate node-ipc maintainer deliberately introduced destructive code to versions 10.1.1 and 10.1.2 that overwrote files on systems in Russia and Belarus as a protest against Russia's invasion of Ukraine. Subsequent versions 11.0.0 and 11.1.0 included the 'peacenotwar' dependency, also published as a protest. This history makes the package a higher-risk dependency with a track record of politically-motivated code injection.
Immediate Response Actions Required
Organizations using node-ipc must take immediate action to assess potential compromise. First, identify any installations of the malicious versions (9.1.6, 9.2.3, or 12.0.1) and remove them immediately. Reinstall known clean versions: 9.2.1 or 12.0.0 are confirmed safe. Given the comprehensive credential harvesting capability, assume compromise and rotate all developer credentials and secrets that may have been accessible on affected systems.
- Audit npm publish activity for any packages accessible with credentials present during the compromise window
- Review CI/CD workflow run logs for suspicious activity or unexpected package installations
- Examine cloud provider audit logs (AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs) for unauthorized actions by IAM identities whose credentials were on affected systems
- Block egress traffic to sh.azurestaticprovider[.]net at the network perimeter and DNS level
- Implement monitoring for DNS queries to suspicious infrastructure, particularly those using external public DNS resolvers
- Review SSH access logs for any unauthorized connections using potentially compromised keys
Supply Chain Security Implications
This incident demonstrates the evolving sophistication of npm supply chain attacks. The use of runtime execution without lifecycle hooks, fingerprint-based targeting, and dual exfiltration channels including DNS tunneling represents a significant advancement in attacker tradecraft. The fact that a dormant, high-download package was compromised after 21 months indicates attackers are increasingly patient and strategic in selecting targets.
The compromise method—either stolen maintainer credentials or a malicious account added to the maintainer list—highlights the critical importance of maintainer account security. Organizations must implement comprehensive dependency monitoring that goes beyond lifecycle script analysis to detect runtime payload execution. Security tools must evolve to identify obfuscated IIFE patterns, suspicious DNS resolver modifications, and anomalous network connections to detect these advanced supply chain attacks. The combination of targeted and opportunistic variants in a single campaign suggests attackers are optimizing their operations for both precision strikes against high-value targets and volume-based credential harvesting.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us