Full Report
Multiple trojanized versions of the @node-ipc package have were uploaded to npm on 14 May 2026. The malicious versions are: [email protected], [email protected], [email protected] The malicious code collects data and exfiltrates it via dns tunneling.On 14 May 2026 three malicious vers...
Analysis Summary
# Incident Report: trojanized node-ipc Supply Chain Attack
## Executive Summary
On May 14, 2026, a supply chain compromise occurred involving the popular `node-ipc` npm package. Malicious versions were published via a compromised maintainer account, designed to harvest sensitive environment data and developer credentials. The incident highlights the risks of automated dependency updates and the importance of securing package manager accounts.
## Incident Details
- **Discovery Date:** May 14, 2026
- **Incident Date:** May 14, 2026
- **Affected Organization:** Users of `node-ipc` npm package
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 14, 2026
- **Vector:** Supply Chain / Credential Theft
- **Details:** Attackers gained access to a package maintainer's account to publish trojanized versions directly to the npm registry.
### Lateral Movement
- **Details:** The attack did not involve lateral movement within a specific corporate network; instead, it leveraged the distribution mechanism of npm to "move" into the development environments of users who downloaded the malicious versions.
### Data Exfiltration/Impact
- **Details:** Malicious code gathered environment files, shell history, VPN data, and cloud provider secrets. Data was archived in a `tar.gz` file and exfiltrated via DNS tunneling.
### Detection & Response
- **Detection:** Identified by security researchers and the community shortly after the upload of versions `9.1.6`, `9.2.3`, and `12.0.1`.
- **Response:** Analysis of the `node-ipc.cjs` file revealed the malicious payload; affected versions were flagged.
## Attack Methodology
- **Initial Access:** Package hijacking via compromised maintainer credentials.
- **Persistence:** None (the routine runs only during package execution).
- **Privilege Escalation:** Not applicable (runs with the privileges of the executing user/process).
- **Defense Evasion:** Malicious code was appended to a legitimate file (`node-ipc.cjs`) and only executes during runtime, not installation.
- **Credential Access:** Harvesting of shell history, environment variables, and cloud-related secrets.
- **Discovery:** Enumeration of local environment files, network configurations, and VPN data.
- **Collection:** Data was compressed into a `tar.gz` archive and written temporarily to disk.
- **Exfiltration:** DNS tunneling via crafted subdomains sent to a hardcoded IP.
- **Impact:** Information theft and potential compromise of downstream cloud infrastructure.
## Impact Assessment
- **Financial:** Potential costs associated with rotating compromised cloud keys and incident response.
- **Data Breach:** High-risk credentials (cloud/dev secrets) and system metadata were targeted.
- **Operational:** Minimal disruption to package functionality, but high risk to the integrity of the development lifecycle.
- **Reputational:** Significant impact on the trust of the `node-ipc` package and maintainer.
## Indicators of Compromise
- **File Indicators (Malicious npm versions):**
- `[email protected]`
- `[email protected]`
- `[email protected]`
- **Network Indicators:**
- `sh[.]azurestaticprovider[.]net`
- `37[.]16[.]75[.]69`
- `1[.]1[.]1[.]1` (Used for initial DNS resolution)
- **Behavioral Indicators:**
- Unexpected outbound DNS traffic to non-standard ports (e.g., port 443 used for DNS).
- Creation of unauthorized `tar.gz` archives in temp directories.
## Response Actions
- **Containment:** Community alerts and removal/deprecation of the affected versions from the npm registry.
- **Eradication:** Users advised to revert to known safe versions (e.g., `9.1.5` or `12.0.0`).
- **Recovery:** Mandatory rotation of all secrets identified in the environment of any machine that executed the malicious versions.
## Lessons Learned
- **Credential Security:** Maintainers must use Multi-Factor Authentication (MFA) to prevent account takeovers.
- **Source vs. Distribution:** The code was not in the GitHub repository, only the npm registry, indicating a need for tools that verify the integrity between source code and published artifacts.
- **Dependency Pinning:** Relying on automated "latest" updates increases exposure to immediate supply chain attacks.
## Recommendations
- **MFA:** Enforce MFA for all package maintainers and contributors.
- **Lockfiles:** Use `package-lock.json` or `yarn.lock` to ensure consistent dependency versions across environments.
- **Secret Management:** Use dedicated secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager) rather than storing keys in environment files or shell history.
- **Monitoring:** Implement egress filtering and monitor for unusual DNS tunneling patterns in development environments.