node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack

HomeCyber Attack News node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack By Guru Baran May 14, 2026 A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have confirmed that three newly published versions of node-ipc, a package with over 822,000 weekly downloads, contain obfuscated stealer and backdoor payloads, marking the second major supply chain compromise of this package since 2022. The affected versions are node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. node-ipc npm Package Hacked Security researcher Ian Ahl (@TekDefense), CTO at Permiso, identified the likely attack vector as a dormant maintainer account takeover. LOOKING LIKE DOMAIN TAKEOVER TO GET THIS ONE: DOMAIN EXPIRED 2025-01-10, ATTACKER RE-REGISTERED IT 2026-05-07 VIA NAMECHEAP. 2001-01-10 ATLANTIS-SOFTWARE[.]NET REGISTERED (LEGITIMATE, OVH) 2025-01-10 DOMAIN EXPIRES (NOT RENEWED) 2026-05-07 ATTACKER RE-REGISTERS DOMAIN VIA… — 1aN0rmus (@TekDefense) May 14, 2026 The account “atiertant,” one of twelve listed npm maintainers, had been inactive for years. According to Socket security, attackers appear to have acquired the account’s recovery email domain atlantis-software[.]net after it expired, allowing them to trigger a standard npm password reset and silently gain publish rights without ever touching the original maintainer’s infrastructure. The malicious payload is embedded exclusively in node-ipc.cjs, the CommonJS entrypoint, appended as a single obfuscated IIFE. The ESM module remains clean. This means developers using require("node-ipc") are at risk, while pure ESM consumers may not be directly affected. Once triggered via setImmediate() on module load, the payload forks a detached child process using the __ntw=1 environment variable flag, then proceeds to: Fingerprint the host using OS metadata, including platform, architecture, hostname, and uname -a output Harvest credentials and configuration files from over 100 target patterns, covering AWS, Azure, GCP, Kubernetes, Docker, SSH keys, npm tokens, GitHub/GitLab credentials, Terraform secrets, .env files, shell histories, and macOS Keychain databases Archive collected data into a gzip tarball written to <tmp>/nt-<pid>/<machineHex>.tar.gz Exfiltrate via DNS TXT queries — not HTTP — using a fake Azure lookalike domain, sh[.]azurestaticprovider[.]net, routing data through the zone bt[.]node[.]js with query prefixes xh, xd, and xf A 500 KiB compressed archive can generate approximately 29,400 DNS TXT queries, making high-volume TXT query bursts a strong detection signal. Attack Chain (Source: Stepsecurity) Notably, every file in the malicious tarballs carries a forensic timestamp of October 26, 1985, a deliberate artifact useful for identifying cached or mirrored copies. Indicators of Compromise (IOCs) Type Indicator Malicious packages node-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1 node-ipc.cjs SHA-256 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 node-ipc-9.1.6.tgz SHA-256 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e node-ipc-9.2.3.tgz SHA-256 c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea node-ipc-12.0.1.tar.gz SHA-256 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 C2 bootstrap domain sh[.]azurestaticprovider[.]net C2 IP 37.16[.]75.69 Exfiltration DNS zone bt[.]node[.]js Runtime env variable __ntw=1 Temp archive pattern <tmp>/nt-<pid>/<machineHex>.tar.gz Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Developers should immediately remove the three affected versions and audit package-lock.json, yarn.lock, and local npm caches. Any environment variables, SSH keys, cloud credentials, or API tokens present on a system that loaded the CommonJS entrypoint should be treated as fully compromised and rotated without delay. Security teams should hunt for DNS TXT query bursts to bt[.]node[.]js and block the bootstrap resolver domain. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials OpenAI Daybreak Automates Vulnerability Detection and Fixing GhostLock Tool Leverages Windows API to Lock File Access Like Ransomware Latest News Cyber Security News Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets Cyber Security News Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks Cyber Security News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Cyber Security News Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions Cyber Security News New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code