node-ipc credential-stealing – A supply-chain attack has injected heavily obfuscated credential-stealing malware into newly published node-ipc versions, hiding in the CommonJS entrypoint and exfiltrating data via DNS TXT queries.
A popular Node.js communications module has become the latest npm supply-chain warning—this time with malware built to harvest credentials the moment applications load.
Hackers injected credential-stealing code into newly published versions of node-ipc. a widely used inter-process communication package that supports sockets across Unix. Windows. UDP. TLS and TCP.. Security teams say the malware is tucked into node-ipc’s CommonJS entrypoint (node-ipc.cjs) and runs automatically whenever an application imports it.
The affected releases include node-ipc@9.1.6, node-ipc@9.2.3 and node-ipc@12.0.1. Researchers say the malicious code is heavily obfuscated, fingerprints infected systems, and then collects environment variables and sensitive local files before compressing the stolen data into archives.
The exfiltration method is also engineered to blend in.. Instead of sending data over typical HTTP command-and-control traffic, the malware uses DNS TXT queries.. It relies on a fake Azure-themed bootstrap resolver—sh[.]azurestaticprovider[.]net:443—before transmitting the data to ‘bt[.]node[.]js’ using query prefixes such as xh. xd and xf.
Socket reported that exfiltrating a 500 KB compressed archive could trigger roughly 29. 400 DNS TXT requests. a volume designed to look like ordinary DNS activity.. Before exfiltration. the stolen material is stored temporarily in tar.gz archives. which the malware deletes after sending to reduce forensic traces.
The scope of what the infostealer can take is broad and clearly aimed at developer and cloud operators. Researchers say it targets:
– Cloud credentials from AWS. Azure. GCP. OCI. DigitalOcean and more
– SSH keys and SSH configuration
– Kubernetes. Docker. Helm and Terraform credentials
– npm. GitHub. GitLab and Git CLI tokens
– .env files and database credentials
– Shell histories and CI/CD secrets
– macOS Keychain files and Linux keyrings
– Firefox profile and key database files on macOS
– Microsoft Teams local storage and IndexedDB paths
To keep operations efficient and less noisy. the malware skips files larger than 4 MiB and avoids scanning .git and node_modules directories.. It also does not establish persistence or download additional second-stage payloads. suggesting the intent is rapid credential theft and exfiltration rather than long-term takeover.
The latest compromise appears tied to an outside actor who compromised the npm account of an inactive maintainer named ‘atiertant.’ The package’s history is complicated: in March 2022. the maintainer published weaponized versions that targeted Russia and Belarus-based systems with a data-overwriting module as a protest against the Russian invasion of Ukraine—yet node-ipc remains massively used. with more than 690. 000 weekly downloads on npm.
For developers and teams using node-ipc. the immediate remediation is straightforward: remove the affected versions. rotate any exposed secrets and credentials. and inspect lockfiles and npm caches.. The attack’s design—automatic execution on load and DNS-based exfiltration—means waiting could turn a dependency update into a credential incident.
node-ipc npm supply chain attack credential theft infostealer DNS TXT exfiltration Node.js malware CommonJS entrypoint cloud credentials SSH keys CI/CD secrets