Cybersecurity experts are raising urgent warnings over what they’ve identified as “malicious activity” in recently released versions of the node-ipc package.
Both Socket and StepSecurity have confirmed that three specific versions of the npm package are compromised:
- node-ipc@9.1.6
- node-ipc@9.2.3
- node-ipc@12.0.1
“Initial findings show that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain hidden stealer and backdoor functionality,” Socket reported.
“The malware profiles the host system, scans and reads local files, compresses and splits the gathered data, encrypts the payload, and tries to send it out through a network endpoint chosen via DNS or IP address logic.”
StepSecurity noted that the heavily disguised payload activates whenever the package is loaded at runtime, and tries to steal a wide range of developer and cloud credentials, sending them to an external command-and-control (C2) server.
The stolen data covers 90 types of credentials, such as Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI and Kiro IDE settings, Terraform state files, database passwords, shell command history, and more. The collected information is compressed into a GZIP file and sent to the “sh.azurestaticprovider[.]net” domain.
These three versions were uploaded by a user called “atiertant,” who has no ties to the package’s original creator, “riaevangelist.” While “atiertant” is listed as a maintainer, the account has no previous publishing history with the node-ipc package. The last legitimate update to the package was in August 2024.
The fact that this widely downloaded package was tampered with after sitting untouched for 21 months suggests that either the “atiertant” account credentials were recently stolen, or the account was deliberately added as a maintainer solely to push the malicious versions.
What makes this attack particularly unusual is that it doesn’t use any npm lifecycle hooks like preinstall, install, or postinstall scripts. Instead, the malicious code is appended as an Immediately Invoked Function Expression (IIFE) at the end of “node-ipc.cjs.” This causes the malware to run automatically every time someone calls require(‘node-ipc’).
The sophistication goes further — the payload runs a SHA-256 fingerprint check and compares it against a hard-coded hash built from eight scrambled table fragments hidden in the code, before moving on to system scanning and large-scale credential theft.
“This means version 12.0.1 remains completely inactive on any machine where the primary module path doesn’t match the expected hash value,” explained StepSecurity researcher Sai Likhith. “The attacker knows precisely which project or developer they’re targeting and calculated the hash of their entry point in advance before publishing. The 9.x versions lack this restriction and will run the full payload on any system that loads them.”
Beyond sending an HTTPS POST request to the fake Azure domain with the compressed stolen data, the malware also uses a second method to exfiltrate information. It encodes portions of the archive as DNS TXT records after switching the system’s DNS resolver to Google Public DNS, effectively bypassing local DNS-based security measures.
“It first looks up sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (backup) to get the C2 server’s IP address,” StepSecurity explained. “Then it redirects all DNS queries straight to that C2 IP for the data exfiltration process.”
“The direct-to-C2 DNS approach is a clever evasion tactic. Since the exfiltration queries never pass through public DNS resolvers, there’s no trace of bt.node.js activity in public DNS records. Organizations that depend only on DNS logging through their corporate resolvers would completely miss this traffic.”
Finally, the malware also tries to keep running even after the original Node.js process ends by spawning itself as a detached background child process, allowing the data theft to continue silently after the parent application has been shut down.
“This campaign illustrates how software supply chain attacks are advancing beyond basic malicious packages into sophisticated, infrastructure-aware credential harvesting operations,” said Avital Harel, security research lead at Upwind, in a statement. “Attackers are increasingly going after the identities and automated systems that drive modern software delivery pipelines, while engineering malware specifically to blend in with normal developer and application activity.”
This isn’t the first instance of the npm package being used for malicious purposes. In March 2022, the package’s maintainer intentionally added destructive code to versions 10.1.1 and 10.1.2 that overwrote files on computers located in Russia or Belarus as an act of protest following Russia’s military invasion of Ukraine.
Two later versions – 11.0.0 and 11.1.0 – included a dependency called “peacenotwar,” also published by the same maintainer as a “non-violent protest against Russia’s aggression.”
“The latest incident appears to involve a suspicious re-release or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt,” Socket stated.
Users are strongly advised to delete the compromised node-ipc versions and reinstall a verified clean version (9.2.1 or 12.0.0), assume their systems may be compromised and rotate all credentials and secrets, review npm publish activity for any packages accessible with the rotated tokens, examine workflow run logs for any unusual activity, check cloud logs to determine whether any unauthorized actions were carried out by IAM identities whose credentials were exposed during the compromised period, and block outbound traffic to the C2 domain.
