Malicious node-ipc releases steal developer and cloud secrets

Researchers at Socket and StepSecurity found obfuscated stealer and backdoor code in three npm releases of the popular package ‘node-ipc’ — versions 9.1.6, 9.2.3 and 12.0.1. The code activates when a project requires ‘node-ipc’, fingerprints the host, collects files and attempts to send the data to the domain sh.azurestaticprovider[.]net.

The payload reads local files, compresses the collected data into a GZIP archive, wraps it in a cryptographic envelope and breaks it into chunks for transmission. Researchers reported the code attempts to harvest roughly 90 categories of credentials and secrets, including Amazon Web Services, Google Cloud and Microsoft Azure keys, SSH keys, Kubernetes tokens, GitHub CLI configurations, Terraform state files, database passwords, shell history and IDE settings.

The malicious code was appended as an Immediately Invoked Function Expression to the end of node-ipc.cjs so it runs whenever require(‘node-ipc’) is executed. Versions 9.1.6 and 9.2.3 run the full payload on any system that loads them. Version 12.0.1 contains a SHA-256 fingerprint gate: the code assembles a hard-coded hash from obfuscated fragments and checks the primary module path before proceeding. StepSecurity researcher Sai Likhith wrote, “This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value. The attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing.”

The malware uses two exfiltration channels. One sends the compressed archive to sh.azurestaticprovider[.]net over HTTPS. The other encodes archive chunks as DNS TXT records after overriding the system DNS resolver to public resolvers such as 1.1.1.1 or 8.8.8.8 to obtain the command-and-control IP, then directs further queries to that IP. Researchers warned the direct-to-C2 DNS approach can bypass corporate DNS logs that only record traffic through internal resolvers.

The three tainted releases were published by an npm account named ‘atiertant’, which does not match the package’s original author, ‘riaevangelist’. The package had been inactive for about 21 months; the previous update was in August 2024. The publishing account has no prior history linked to node-ipc, which led analysts to conclude either maintainer credentials were compromised or an account was added as a maintainer to push the updates.

Researchers advised removing [email protected], @9.2.3 and @12.0.1 and reinstalling known clean releases such as 9.2.1 or 12.0.0. They recommended treating affected systems as potentially compromised, rotating credentials and secrets, auditing npm publish tokens for unauthorized access, reviewing workflow run logs for unusual activity, checking cloud logs for unauthorized IAM actions during the exposure window, and blocking egress to the C2 domain.

The package has a prior incident in March 2022 when a maintainer added code in versions 10.1.1 and 10.1.2 that overwrote files on systems in Russia and Belarus. Later versions included a dependency named ‘peacenotwar’. Socket described the recent activity as a suspicious reintroduction of malicious code into a known package rather than a simple typo-squatting attempt.