Supply Chain Attack on node-ipc npm Package Exposes 822K Downloads to Credential Theft

Supply Chain Attack on node-ipc npm Package Exposes 822K Downloads to Credential Theft

First seen 15 May 2026, 05:27 UTC CybersecuritynewsGbhackersThecyberexpressNews.BitcoinBleepingcomputer+5 90% similarity 72.0

Article Content

Browse articles
ThreatCluster

A supply chain attack on the node-ipc npm package has compromised three versions (9.1.6, 9.2.3, 12.0.1) with credential-stealing malware. The attack exploited an expired domain to hijack a dormant maintainer account, allowing attackers to publish malicious versions that contain an 80KB payload capable of stealing over 90 types of credentials. The malware uses DNS tunneling for data exfiltration, making detection difficult. This incident affects over 822,000 weekly downloads, posing a significant risk to developers utilizing the package in their projects. Security firms, including Socket and Slowmist, confirmed the malicious activity, which was active for about two hours before detection. Users are advised to audit their systems and rotate any exposed credentials immediately.

Key Points: • Three malicious versions of node-ipc were published, affecting over 822,000 downloads. • Attackers exploited an expired domain to hijack a maintainer account and publish malware. • The malware collects sensitive credentials and exfiltrates data via DNS tunneling.

ThreatCluster AI

Timeline

2025-01-10
Expired domain re-registered by attackers
Attackers registered the expired domain atlantis-software.net to hijack a dormant maintainer account.
News.Bitcoin
2026-05-14
Malicious versions of node-ipc published
Three trojanized versions of node-ipc were published, containing credential-stealing malware.
Thecyberexpress
2026-05-14
Attack detected and reported
Security firms Slowmist and Socket confirmed the malicious activity and alerted the community.
News.Bitcoin
2026-05-15
Security advisory issued
Users were advised to audit their systems for the compromised versions and rotate credentials.
Csoonline

Community

Browse all →