[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRJzXJyuv0qhFhmbZ7x3f0lK3WQiv5xAQ5olP1Ooai2s":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"9118dacb-dc4e-4d55-8fe1-08774d67f4da","Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets","stealer-backdoor-found-in-3-node-ipc-versions-targeting-developer-secrets-958ff8","Cybersecurity researchers are sounding the alarm about what has been described as \"malicious activity\" in newly published versions of node-ipc. According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 \"Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1","Cybersecurity researchers discovered malicious code in three versions of the popular node-ipc npm package (9.1.6, 9.2.3, 12.0.1) published by a compromised account. The stealer\u002Fbackdoor harvests 90 categories of developer and cloud secrets—including AWS, Google Cloud, Azure, SSH keys, GitHub tokens, and Kubernetes credentials—and exfiltrates them via HTTPS and DNS tunneling to a C2 server. The attack uses sophisticated obfuscation and anti-detection techniques, including SHA-256 fingerprinting to target specific projects and DNS-based exfiltration to bypass corporate security controls.","Stealer backdoor discovered in 3 node-ipc npm package versions targeting developer credentials.","Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets Ravie LakshmananMay 14, 2026Developer Security \u002F Supply Chain Attack Cybersecurity researchers are sounding the alarm about what has been described as \"malicious activity\" in newly published versions of node-ipc. According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 \"Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer\u002Fbackdoor behavior,\" Socket said. \"The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS\u002Faddress logic.\" StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server. This includes 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history, and more. The harvested data is then compressed into a GZIP archive and transmitted to the \"sh.azurestaticprovider[.]net\" domain. The three versions were published by an account named \"atiertant,\" which has no connection to the package's original author, \"riaevangelist.\" Although \"atiertant\" appears in the maintainer list, the account has no prior publish history in connection with the node-ipc package. The previous update to the package was in August 2024. The fact that the dormant, high-download package was compromised after a 21-month gap indicates that either the \"atiertant\" credentials were newly compromised, or the account was specifically added as a maintainer to publish the malicious versions. What's notable about the activity is that it does not rely on any npm lifecycle hooks such as preinstall, install, or postinstall scripts, instead appending the malicious payload as an Immediately Invoked Function Expression (IIFE) to the end of \"node-ipc.cjs.\" This, in turn, causes the malware to fire unconditionally on every require('node-ipc'). The oddity doesn't end there, for the payload performs a SHA-256 fingerprint check and compares it against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code, before proceeding with system enumeration and comprehensive credential harvesting. \"This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value,\" StepSecurity researcher Sai Likhith said. \"The attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing. The 9.x versions do not have this gate and will execute the full payload on any system that loads them.\" The malware also incorporates a second exfiltration channel besides issuing an HTTPS POST to the fake Azure domain containing the compressed stolen data. This involves encoding chunks of the archive as a DNS TXT record after overriding the system's DNS resolver with Google Public DNS to sidestep local DNS-based security controls. \"It first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP,\" StepSecurity said. \"Then it re-targets the resolver directly at the C2 IP for all exfiltration queries.\" \"The direct-to-C2 DNS sink is a notable anti-detection technique. Because the exfiltration queries never touch public DNS resolvers, there is no observable bt.node.js activity in public DNS logs. Organizations relying solely on DNS logging through corporate resolvers would not see this traffic.\" Lastly, the malware also attempts to continue execution independently of the original Node.js process by forking itself into a detached background child processes, allowing exfiltration activity to continue silently after the parent application is terminated. \"This campaign reflects how software supply chain attacks are evolving beyond simple malicious packages into infrastructure-aware credential harvesting operations,\" Avital Harel, security research lead at Upwind, said in a statement. \"Attackers are increasingly targeting the identities and automation systems powering modern software delivery pipelines while designing malware specifically to blend into normal developer and application behavior.\" This is not the first time the npm package has had malicious functionality incorporated into its code. In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia's military invasion of Ukraine. Two subsequent versions – 11.0.0 and 11.1.0 – included the \"peacenotwar\" dependency, which was also published by the same maintainer as a \"non-violent protest against Russia's aggression.\" \"The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt,\" Socket said. Users are advised to remove the compromised node-ipc versions and re-install a known clean version (9.2.1 and 12.0.0), assume compromise and rotate credentials and secrets, audit npm publish activity for any packages accessible with the rotated tokens, review workflow run logs for suspicious activity, audit cloud logs to check if any unauthorized actions were performed by IAM identities whose credentials were available during the compromised window, and block egress traffic to the C2 domain. Update It has since emerged that the dormant maintainer's account may have been taken over via an expired email domain. Per an X post from Ian Ahl, Chief Technology Officer (CTO) at Permiso Security, the email address for atiertant's account was hosted on a domain called \"atlantis-software[.]net\" that had expired on January 10, 2025, and was re-registered on May 7, 2026, a week before the attack took place. \"Assuming the npm account recovery email for atiertant was indeed hosted on atlantis-software[.]net, the new domain owner was then able to trigger a standard npm password reset, receive the reset email at a mailbox under their control, and gain publish rights without ever compromising any of the maintainer's own infrastructure,\" Socket said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, data exfiltration, Developer Security, Malware, NPM, Open Source, Supply Chain ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Roo","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fstealer-backdoor-found-in-3-node-ipc.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhTj2m9-HHmDEDzKIsalsJ_HJcwcUsIFajvcpTLP9QMyqS9F_JroTH7lXeOGZFuO6j6F-RzbIo1kBIQ0udSFQGzjN2hxO8ZfyFeHM5557BPI1sjiJ7cEMJJE62t11e07Wt1CsmAntpLHSM0XbnQDvVYNBfNdAOsob9kN6G6-mQjKX68fEE1nzy_Bn4TvxyK\u002Fs1600\u002Fnode.jpg","2026-05-14T17:22:43+00:00","2026-05-14T20:00:16.635207+00:00",9,[18,21,24,27],{"name":19,"type":20},"node-ipc","product",{"name":22,"type":23},"npm","technology",{"name":25,"type":26},"Socket","vendor",{"name":28,"type":26},"StepSecurity","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":29,"icon":31,"name":32,"slug":33},null,"Supply Chain","supply-chain",[35,40,45],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":46},{"id":47,"icon":31,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51,55],{"type":52,"value":53,"context":54},"domain","sh.azurestaticprovider.net","C2 command-and-control domain used for stolen credential exfiltration",{"type":39,"value":56,"context":57},"node-ipc stealer\u002Fbackdoor","Obfuscated stealer and backdoor embedded in compromised npm package versions"]