[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSMfLBhcyQAeKQVn8nTnZVq_hvHgIFD8_flxowBafL4w":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"aa9b6454-e13d-4366-9eb6-907d5da71be6","node-ipc npm Package Compromised in Supply Chain Attack","node-ipc-npm-package-compromised-in-supply-chain-attack-4ed0f2","Socket’s threat feed has detected malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem. The affected versions confirmed as malicious are: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner detected the newly published malicious versions within roughly three minutes of publication, classifying the activity as malware. Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer\u002Fbackdoor behavior. The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS\u002Faddress logic. Socket’s incident response scan also noted historical malicious versions tied to the original 2022 node-ipc compromise. Versions 10.1.1 and 10.1.2 were associated with geo-targeted destructive malware that checked whether a system was located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the peacenotwar dependency, which was previously linked to unauthorized file-writing behavior. The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt. Socket classified all seven reviewed versions as malicious and recommends blocking them. This is a developing story. Socket’s Threat Research team is continuing to analyze the package contents, confirm the full scope of the compromise, and extract indicators of compromise. Developers should avoid installing the affected versions and audit any recent installs of node-ipc, especially versions 9.1.6, 9.2.3, and 12.0.1. The updated list of packages in this ongoing supply chain attack can be viewed at https:\u002F\u002Fsocket.dev\u002Fsupply-chain-attacks\u002Fnode-ipc Affected Packages # Malicious packages: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1","Socket's threat detection system identified malicious versions of the widely-used node-ipc npm package within minutes of publication. The compromised versions 9.1.6, 9.2.3, and 12.0.1 contain obfuscated stealer\u002Fbackdoor code that fingerprints hosts, exfiltrates files, and attempts data exfiltration through DNS-selected endpoints. This marks the second major compromise of node-ipc, following the notorious 2022 incident and intermediate malicious versions in 2024.","node-ipc npm package compromised again with stealer\u002Fbackdoor malware in versions 9.1.6, 9.2.3, 12.0.1","Research\u002FSecurity NewsLaravel Lang Compromised with RCE Backdoor Across 700+ VersionsLaravel Lang packages were compromised with an RCE backdoor across hundreds of versions, exposing cloud, CI\u002FCD, and developer secrets.By Socket Research Team - May 23, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fnode-ipc-package-compromised?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F5bc29841f7aeae15eaf536fdf59b10d710268253-1047x661.png?w=1000&q=95&fit=max&auto=format","2026-05-14T15:48:51.85+00:00","2026-05-14T18:00:16.77684+00:00",9,[18,21,24,27],{"name":19,"type":20},"node-ipc","product",{"name":22,"type":23},"npm","technology",{"name":25,"type":26},"Socket","vendor",{"name":28,"type":29},"node-ipc supply chain attack (2022-2026)","campaign","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":30,"icon":32,"name":33,"slug":34},null,"Supply Chain","supply-chain",[36,41,46],{"category":37},{"id":38,"icon":32,"name":39,"slug":40},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":42},{"id":43,"icon":32,"name":44,"slug":45},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":47},{"id":48,"icon":32,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52,54],{"type":40,"value":19,"context":53},"npm package with stealer\u002Fbackdoor behavior in versions 9.1.6, 9.2.3, 12.0.1",{"type":40,"value":55,"context":56},"peacenotwar","dependency included in node-ipc versions 11.0.0 and 11.1.0 with unauthorized file-writing behavior"]