A JavaScript library downloaded more than 822,000 times each week has become the latest casualty in a wave of sophisticated supply chain compromises. Security researchers at Socket uncovered multiple malicious versions of node-ipc, a popular npm package, that were silently harvesting credentials and planting backdoors. The affected versions 9.1.6, 9.2.3, and 12.0.1 were flagged almost immediately after publication, but not before exposing countless developer environments to potential data theft.

Unlike many npm supply chain attacks that rely on typosquatting or install-time scripts, this campaign hides its payload directly inside the package’s CommonJS entry point, a file called node-ipc.cjs. The malicious code executes automatically the moment the package is required, bypassing a range of traditional detection methods. Interestingly, the ESM version of node-ipc remains clean, so only applications that use require(“node-ipc”) are vulnerable.

How the Malware Operates

Once triggered, the heavily obfuscated malware fingerprints the host system, enumerating local files and environment variables. It then compresses and encrypts stolen data before exfiltrating it through covert DNS TXT queries, a technique specifically designed to evade standard network monitoring. This approach makes it particularly hard to spot without deep packet inspection or dedicated DNS logging.

The malware casts a wide net across sensitive developer assets. It targets cloud credentials for AWS, Azure, GCP, and OCI, as well as SSH keys, Git credentials, and API tokens. Kubernetes, Docker, and Terraform configurations are also in its crosshairs, alongside .env files, database configs, and CI/CD secrets. System-level artifacts, including /etc/hosts and full environment dumps, are collected too.

Stolen files are renamed and compressed into a .tar.gz archive stored at /tmp/nt-<pid>/. From there, they are exfiltrated via DNS queries to attacker-controlled domains that mimic legitimate Azure infrastructure. A single compromised system can generate tens of thousands of DNS requests, splitting encoded data into small chunks to avoid detection.

Compromised Maintainer Account

Investigators believe the attack originated from a hijacked npm maintainer account. The threat actor reportedly exploited an expired email domain linked to a dormant account under the name “atiertant.” They reset the credentials and published the malicious versions without ever breaching npm’s core infrastructure. This tactic highlights a critical and growing blind spot in open-source security: abandoned maintainer accounts that function as silent entry points.

This is not node-ipc’s first controversy. The package was involved in a destructive geo-targeted malware incident back in 2022, raising questions about whether this represents repeated compromise or deliberate reintroduction. Developers are left wondering how many more dormant accounts might be lurking with access to widely used packages.

What Developers Should Do Now

If you have node-ipc installed, immediately remove the affected versions: 9.1.6, 9.2.3, and 12.0.1. Rotate all cloud keys, SSH keys, and API tokens as a precaution. Audit your transitive dependencies to ensure no hidden copies remain. Security teams should monitor DNS logs for unusual bursts of TXT queries and block the following domains across all endpoints: h[.]azurestaticprovider[.]net and bt[.]node[.]js.

The indicators of compromise include malicious package versions [email protected], [email protected], and [email protected]. The exfiltration domain is bt[.]node[.]js, and the DNS pattern uses xh., xd., xf.* subdomains. The temp file path is /tmp/nt-<pid>/<machineHex>.tar.gz. Notably, the artifact timestamps show an anomalous date of October 26, 1985.

Lessons for the Open Source Ecosystem

This incident serves as a stark reminder that trust in open source is fragile. When a package maintainer’s email domain expires, it becomes a vulnerability waiting to be exploited. The npm ecosystem needs better mechanisms for verifying maintainer identity and for decommissioning accounts that have gone silent.

Perhaps the most unsettling aspect is the sheer reach of this attack. With over 822,000 weekly downloads, node-ipc is embedded in thousands of applications across industries. The malware’s focus on cloud and CI/CD credentials means a single compromised developer machine could give attackers access to entire production environments.

Moving forward, developers should treat every dependency update with a healthy dose of skepticism. Package integrity checks, runtime monitoring, and DNS audit logs are no longer optional; they are essential defenses in an era where supply chain attacks are increasingly stealthy and targeted. The open source community must adapt, or risk becoming a soft target for the next attacker waiting in the wings.