Full Report
Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious - [email protected] [email protected] [email protected] "Early analysis indicates that [email protected], [email protected], and [email protected]
Analysis Summary
# Tool/Technique: node-ipc Stealer Backdoor
## Overview
This is a supply chain attack involving three malicious versions of the popular `node-ipc` npm package. These versions contain an obfuscated stealer and backdoor that automatically triggers when the package is imported. The primary purpose is the targeted exfiltration of sensitive developer credentials, cloud environment secrets, and configuration files.
## Technical Details
- **Type:** Malware (Infostealer / Backdoor)
- **Platform:** Cross-platform (Windows/Linux/macOS) via the Node.js runtime.
- **Capabilities:** Host fingerprinting, credential harvesting (90+ categories), data compression (GZIP), encryption, and dual-channel exfiltration (HTTPS and DNS).
- **First Seen:** May 14, 2026 (Reported date).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0009 - Collection]**
- [T1555 - Credentials from Password Stores]
- [T1552 - Unsecured Credentials]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- [T1048.003 - Exfiltration Over Alternative Service: Exfiltration Over Domain Generation Algorithms/DNS]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1562.006 - Impair Defenses: Indicator Blocking]
## Functionality
### Core Capabilities
- **Execution via IIFE:** The malicious code is wrapped in an Immediately Invoked Function Expression at the end of `node-ipc.cjs`, ensuring it runs immediately when the package is required, bypassing npm lifecycle hooks.
- **Credential Harvesting:** Targets 90 categories of secrets including AWS, GCP, Azure, Kubernetes tokens, SSH keys, GitHub CLI configs, and shell history.
- **Data Staging:** Collected data is compressed into a GZIP archive and cryptographically enveloped.
### Advanced Features
- **Targeted Gating:** Version 12.0.1 includes a SHA-256 fingerprint check. It remains inert unless the primary module path matches a specific pre-computed hash, indicating an attack targeted at a specific individual or organization.
- **Stealthy DNS Exfiltration:** To bypass local DNS logging, the malware overrides the system resolver with Google Public DNS (8.8.8.8) to resolve the C2, then sends data chunks via DNS TXT records directly to the C2 IP.
## Indicators of Compromise
- **File Hashes (Malicious Versions):**
- `[email protected]`
- `[email protected]`
- `[email protected]`
- **Network Indicators:**
- `sh[.]azurestaticprovider[.]net` (C2 Domain)
- `1[.]1[.]1[.]1` / `8[.]8[.]8[.]8` (Used to bypass local DNS resolvers)
- **Behavioral Indicators:**
- Unexpected outbound HTTPS POST traffic to unauthorized domains.
- Unusual DNS TXT queries directed at non-standard nameservers.
- Node.js processes reading sensitive files like `~/.aws/credentials`, `~/.ssh/id_rsa`, or `.terraform.tfstate`.
## Associated Threat Actors
- **atiertant:** The npm account responsible for publishing the malicious versions. (Connection to specific groups is currently unconfirmed).
## Detection Methods
- **Signature-based:** Scan `node_modules` for the specific malicious versions of `node-ipc`.
- **Behavioral:** Monitor for Node.js applications attempting to access sensitive directories (e.g., `.aws`, `.ssh`, `.kube`) or overriding system DNS settings.
- **Network:** Monitor for traffic to `sh[.]azurestaticprovider[.]net` and detect high volumes of DNS TXT records occurring outside of standard resolution patterns.
## Mitigation Strategies
- **Version Pinning:** Pin npm dependencies to known-good versions and use a lockfile (`package-lock.json`).
- **Dependency Auditing:** Regularly run `npm audit` and use SCA (Software Composition Analysis) tools to detect compromised packages.
- **Network Egress Filtering:** Restrict developer environments to authorized domains and block direct outbound DNS traffic (port 53) to external resolvers.
- **Secret Management:** Use dedicated secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager) instead of storing credentials in plaintext files or environment variables.
## Related Tools/Techniques
- **peacenotwar:** A previous "protestware" dependency associated with `node-ipc`.
- **Supply Chain Attacks:** Similar to the `colors.js` or `ua-parser-js` compromises where legitimate packages were updated with malicious code.