Full Report
Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. [...]
Analysis Summary
# Incident Report: Supply Chain Compromise of node-ipc
## Executive Summary
In May 2026, a supply chain attack targeted the popular npm package `node-ipc` after the account of an inactive maintainer was compromised. Malicious code was injected into three specific versions to fingerprint systems and exfiltrate highly sensitive credentials, including cloud provider keys and CI/CD secrets. The attack used sophisticated DNS tunneling for data exfiltration to bypass traditional network monitoring.
## Incident Details
- **Discovery Date:** May 15, 2026
- **Incident Date:** May 2026
- **Affected Organization:** Users of `node-ipc` (Open Source ecosystem)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa May 2026
- **Vector:** Account Takeover (ATO)
- **Details:** An external actor compromised the npm account of an inactive maintainer ('atiertant') to publish malicious versions of the package.
### Lateral Movement
- **Details:** Not applicable in the traditional sense; the malware aimed for immediate execution upon package installation/load within developer environments and CI/CD pipelines.
### Data Exfiltration/Impact
- **Details:** The malware targeted environment variables, SSH keys, cloud credentials (AWS, Azure, GCP), and local configuration files. Data was compressed into local `.tar.gz` archives and exfiltrated via thousands of DNS TXT queries to hide within legitimate traffic.
### Detection & Response
- **Discovery:** Identified by security researchers at Socket, Ox Security, and Upwind.
- **Response Actions:** Malicious versions were identified; security advisories were issued to the developer community to revert to safe versions and rotate all secrets.
## Attack Methodology
- **Initial Access:** Compromised maintainer credentials for the npm registry.
- **Persistence:** None (the malware focused on rapid execution during the build/load process).
- **Privilege Escalation:** Not explicitly mentioned, though it sought high-value files across the filesystem.
- **Defense Evasion:** Heavy obfuscation of code; used DNS TXT queries for C2 instead of HTTP; deleted temporary archives after exfiltration.
- **Credential Access:** Theft of cloud provider tokens, macOS Keychains, Linux keyrings, and shell histories.
- **Discovery:** Fingerprinting infected systems and scanning for specific directory paths (Docker, Kubernetes, Terraform).
- **Collection:** Automated gathering of `.env`, `.ssh/`, and browser profile files.
- **Exfiltration:** DNS tunneling via a fake Azure-themed domain.
- **Impact:** Mass exposure of development and infrastructure credentials.
## Impact Assessment
- **Financial:** High potential cost due to the necessity of sweeping credential rotations and potential cloud resource abuse.
- **Data Breach:** Massive theft of secrets, tokens, and keys across multiple cloud and VCS platforms.
- **Operational:** Disruption of CI/CD pipelines and development workflows as teams audit dependencies.
- **Reputational:** Eroded trust in the `node-ipc` package and the broader npm ecosystem.
## Indicators of Compromise
- **Network Indicators:**
- `sh[.]azurestaticprovider[.]net` (DNS resolver)
- `bt[.]node[.]js` (Exfiltration target)
- **File Indicators:**
- Malicious versions: `[email protected]`, `[email protected]`, `[email protected]`
- Modified entrypoint: `node-ipc.cjs`
- **Behavioral Indicators:**
- Excessive DNS TXT queries originating from build servers or developer workstations.
- Unexpected creation and deletion of `.tar.gz` files in temporary directories.
## Response Actions
- **Containment:** Immediately remove the affected versions of `node-ipc` and lock dependencies to known safe versions.
- **Eradication:** Clean local npm caches and inspect lockfiles for any remaining references to the malicious versions.
- **Recovery:** Mandatory rotation of all credentials identified in the "Credential Access" section (AWS keys, GitHub tokens, etc.).
## Lessons Learned
- **Dependency Risk:** Even popular packages with hundreds of thousands of downloads can be compromised through inactive maintainer accounts.
- **Evasion Tactics:** Attackers are increasingly moving toward non-standard exfiltration protocols (like DNS) to bypass standard firewall and EDR logic.
- **Account Security:** The importance of Multi-Factor Authentication (MFA) for open-source maintainers is paramount.
## Recommendations
- **MFA Enforcement:** Ensure all contributors to sensitive internal or public projects use MFA.
- **Dependency Pinning:** Use `package-lock.json` and security scanning tools (e.g., `npm audit`, Socket) to detect malicious changes.
- **Network Monitoring:** Implement monitoring for anomalous DNS traffic patterns, particularly high volumes of TXT queries.
- **Secrets Management:** Use dedicated secrets managers rather than storing credentials in local `.env` files or shell histories.