CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Three legitimate versions of the widely used node-ipc npm package were republished with malicious code by an unauthorized maintainer account. The affected versions—9.1.6, 9.2.3, and 12.0.1—contain obfuscated stealer/backdoor functionality that triggers upon package require('node-ipc'), exfiltrating extensive developer and cloud secrets to a rogue command-and-control (C2) server. The attack uses novel anti-detection techniques including host fingerprinting, DNS-based exfiltration via Google Public DNS, and conditional payload execution tied to a SHA-256 hash of the entry module path, indicating targeted operations. This incident follows a prior 2022 protest incident where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus. The campaign highlights the risks of dormant package compromise and the use of legitimate npm accounts to deliver supply-chain malware with advanced evasion tactics aimed at bypassing traditional security monitoring.

Timeline

  1. 14.05.2026 20:22 1 articles · 2h ago

    Malicious node-ipc Versions 9.1.6, 9.2.3, and 12.0.1 Discovered with Stealer Payload

    Security researchers identified three compromised versions of the node-ipc npm package—9.1.6, 9.2.3, and 12.0.1—containing obfuscated stealer/backdoor behavior. The malicious payload triggers on require('node-ipc'), performs host fingerprinting, enumerates files, compresses and exfiltrates credentials and secrets to sh.azurestaticprovider[.]net via HTTPS POST and DNS TXT using Google Public DNS for anti-detection. Version 12.0.1 includes a conditional execution gate based on a precomputed SHA-256 hash of the entry module path, while 9.x versions execute on any system loading them. The payload targets 90 categories of developer and cloud secrets.

    Show sources
    Open in new tab

Information Snippets

  • Three npm package versions of node-ipc—9.1.6, 9.2.3, and 12.0.1—were republished by an unauthorized account named "atiertant" with no prior maintainer history on the package.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • The malicious payload is appended as an Immediately Invoked Function Expression (IIFE) to node-ipc.cjs and executes unconditionally on every require('node-ipc').

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • The payload fingerprints the host environment, enumerates and reads local files, compresses harvested data into a GZIP archive, and exfiltrates credentials and secrets to the domain sh.azurestaticprovider[.]net via HTTPS POST and DNS TXT over Google Public DNS.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • The stealer targets 90 categories of credentials including AWS, GCP, Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Terraform state, database passwords, shell history, and IDE settings.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • Version 12.0.1 includes a conditional gate: payload execution is gated by a SHA-256 hash of the entry module path, making it inert on systems that do not match the attacker's precomputed target. Versions 9.x lack this gate and execute on any system loading them.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • DNS exfiltration traffic bypasses public DNS logging by overriding the resolver to target the C2 IP directly via Google Public DNS (1.1.1.1 or 8.8.8.8), evading DNS-based detection controls.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

  • In March 2022, the original maintainer (riaevangelist) introduced protest payloads in versions 10.1.1 and 10.1.2 that overwrote files on systems in Russia or Belarus, and versions 11.0.0 and 11.1.0 included a "peacenotwar" dependency as a non-violent protest.

    First reported: 14.05.2026 20:22
    1 source, 1 article
    Show sources

Similar Happenings

Cross-Platform Supply Chain Attack Expands with Mini Shai-Hulud Malware via PyPI and npm Ecosystems

The Mini Shai-Hulud supply chain attack has escalated into a multi-ecosystem campaign, now confirmed to have breached OpenAI’s internal systems via compromised TanStack packages. Two OpenAI employees’ devices were infected, resulting in limited credential theft from internal repositories but no impact on customer data, production systems, or deployed software. OpenAI responded by isolating systems, rotating credentials, and updating code-signing certificates for macOS applications, requiring user updates by June 12, 2026. The attack initially targeted TanStack and Mistral AI, spreading to UiPath, Guardrails AI, and OpenSearch through stolen CI/CD credentials and legitimate GitHub Actions workflows. Researchers identified hundreds of compromised npm and PyPI packages (373 npm package-version entries across 169 names, with at least double that number across organizations) designed to steal developer credentials, self-propagate via compromised maintainer accounts, and abuse trusted publishing workflows. The malware employs heavily obfuscated JavaScript payloads with Bun-based execution, targets IDE integrations for persistence, and includes destructive sabotage components on Linux systems. Threat actors, assessed as TeamPCP, continue refining tactics to maximize reach and evade detection, underscoring the urgency for credential rotation and provenance verification across ecosystems.

Open in new tab