Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

Three node-ipc releases now carry an obfuscated stealer/backdoor that can harvest developer and cloud secrets from any system that loads the package. The malicious code is present in [email protected], 9.2.3, and 12.0.1, and it is triggered at runtime when `require('node-ipc')` is called. The payload fingerprints the host, enumerates local files, compresses collected data, and sends the archive to sh.azurestaticprovider[.]net over HTTPS or via DNS TXT exfiltration. The 9.x releases execute broadly, while 12.0.1 adds a SHA-256 gate that narrows execution to a targeted module path.

Related Happenings

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

How related: The latest compromise appears to be the work of an external actor who compromised the account of an inactive maintainer named 'atiertant.'

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

PyTorch Lightning hit by network compromise

Incident
First: 04.05.2026 20:15 Last: 04.05.2026 20:15 Sources 1

About this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...

Open Happening

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

Malicious npm packages @automagik/genie and pgserve self-propagating malware

Malware Activity
First: 24.04.2026 11:10 Last: 24.04.2026 11:10 Sources 1

About this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...

Open Happening

Npm supply-chain worm that steals publishing tokens and self-propagates

Malware Activity
First: 22.04.2026 15:57 Last: 22.04.2026 15:57 Sources 1

About this happening: A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...

Open Happening

Timeline

  1. 14.05.2026 20:22 2 articles · 13d ago

    Researchers flag malicious node-ipc releases

    Initial Disclosure

    Socket and StepSecurity identify [email protected], [email protected], and [email protected] as malicious releases carrying an obfuscated stealer/backdoor that runs when require('node-ipc') is called, fingerprints the host, enumerates local files, harvests developer and cloud secrets, and exfiltrates data to sh.azurestaticprovider[.]net over HTTPS and DNS TXT channels; users are advised to remove the compromised versions, reinstall clean releases 9.2.1 and 12.0.0, rotate credentials and secrets, review npm publish and workflow logs, and block egress to the C2 domain.

    Show sources
    Open in new tab