Back

Supply Chain Attack Targets node-ipc npm Package, Exposing 822K Downloads

Severity: High (Score: 72.0)

Sources: Thecyberexpress, www.stepsecurity.io, News.Bitcoin, Gbhackers, Cybersecuritynews

Summary

On May 14, 2026, three malicious versions of the node-ipc npm package were identified, compromising over 822,000 weekly downloads. The affected versions, [email protected], 9.2.3, and 12.0.1, contained an 80KB obfuscated payload capable of stealing over 90 types of credentials, including AWS keys and .env files. The attack exploited a dormant maintainer account that had its email domain re-registered by the attacker, allowing them to publish the malicious versions. The malware exfiltrates stolen data via DNS tunneling, making it difficult to detect. Security firms Slowmist and Socket confirmed the attack, urging developers to pin to clean versions and rotate exposed secrets. The malicious packages were live for approximately two hours before detection. This incident marks the second major compromise of the node-ipc package since 2022. Key Points: • Three malicious versions of node-ipc were published, affecting over 822,000 downloads. • The malware targets over 90 types of credentials, including AWS and .env files. • The attack exploited a dormant maintainer account, allowing rapid publication of malicious code.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Belarus (country)
  • Russia (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • atlantis-software.net (domain)
  • sh.azurestaticprovider.net (domain)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • AWS (company)
  • Azure (company)
  • DigitalOcean (company)
  • CommonJS (platform)
  • ESM (platform)
  • GitLab CLI (platform)
  • Helm (platform)
  • Kubernetes (platform)
  • Docker (tool)
  • GitHub CLI (tool)
  • Node.js (tool)
  • 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e (sha256)
  • 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 (sha256)
  • 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 (sha256)
  • c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed