Back

Supply Chain Attack on node-ipc npm Package Exposes 822K Downloads to Credential Theft

Severity: High (Score: 72.0)

Sources: Gbhackers, www.stepsecurity.io, Cybersecuritynews, Bleepingcomputer, News.Bitcoin

Summary

A supply chain attack on the node-ipc npm package has compromised three versions (9.1.6, 9.2.3, 12.0.1) with credential-stealing malware. The attack exploited an expired domain to hijack a dormant maintainer account, allowing attackers to publish malicious versions that contain an 80KB payload capable of stealing over 90 types of credentials. The malware uses DNS tunneling for data exfiltration, making detection difficult. This incident affects over 822,000 weekly downloads, posing a significant risk to developers utilizing the package in their projects. Security firms, including Socket and Slowmist, confirmed the malicious activity, which was active for about two hours before detection. Users are advised to audit their systems and rotate any exposed credentials immediately. Key Points: • Three malicious versions of node-ipc were published, affecting over 822,000 downloads. • Attackers exploited an expired domain to hijack a maintainer account and publish malware. • The malware collects sensitive credentials and exfiltrates data via DNS tunneling.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Belarus (country)
  • Russia (country)
  • Ukraine (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • atlantis-software.net (domain)
  • sh.azurestaticprovider.net (domain)
  • socket.dev (domain)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1005 - Data From Local System (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • Alibaba Cloud (company)
  • AWS (company)
  • Azure (company)
  • DigitalOcean (company)
  • Hetzner (company)
  • CommonJS (platform)
  • Doppler (platform)
  • ESM (platform)
  • Fly (platform)
  • GCP (platform)
  • Docker (tool)
  • GitHub CLI (tool)
  • Node.js (tool)
  • SSH (tool)
  • 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e (sha256)
  • 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 (sha256)
  • 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 (sha256)
  • c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed