Skip to main content
Emerging ThreatsSupply Chain Attacks

Malicious Node-IPC Versions Expose Developer Secrets to Stealer Backdoor

Dimly lit software development workspace with cluttered desk and turned-off laptop and monitor.

"Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior," Socket said.

What researchers found in the three node-ipc releases

Security firms Socket and StepSecurity have confirmed malicious code in three published npm package versions: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. The payloads are heavily obfuscated and trigger when the package is required at runtime, according to StepSecurity. The three releases were published by an account named "atiertant," which is not connected to the original package author "riaevangelist" and has no prior publish history for the package.

How the backdoor executes: IIFE insertion and a SHA-256 gate

Unlike many supply-chain incidents that use npm lifecycle hooks, the malicious code does not employ preinstall, install, or postinstall scripts. Instead, the attackers appended an Immediately Invoked Function Expression (IIFE) to the end of node-ipc.cjs so that the payload executes unconditionally on every require('node-ipc').

StepSecurity detailed a distinctive control in version 12.0.1: the payload performs a SHA-256 fingerprint check and compares it to a hard-coded hash assembled from eight obfuscated table fragments embedded in the code. "This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value," StepSecurity researcher Sai Likhith said. By contrast, the 9.x releases do not include this gate and will execute the full payload on any system that loads them.

What the malware harvests and how it exfiltrates data

StepSecurity and Socket report the malware fingerprints host environments, enumerates and reads local files, compresses and chunks collected data, cryptographically envelopes the payload, and attempts exfiltration to an external command-and-control server. The firms list an expansive set of 90 credential categories targeted for theft, naming Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history, and more.

Collected artifacts are compressed into a GZIP archive and sent to the domain "sh.azurestaticprovider[.]net" via an HTTPS POST. A second exfiltration channel encodes chunks of the archive into DNS TXT records. To bypass local DNS-based controls, the malware first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP, then retargets the resolver directly at the C2 IP for subsequent exfiltration queries. StepSecurity warned that because the code directs queries straight to the C2 IP, "there is no observable bt.node.js activity in public DNS logs" and corporate DNS logging alone may not surface the traffic.

The "atiertant" maintainer anomaly and package history

The three malicious versions were pushed by the account "atiertant," which appears in the package maintainer list but has no previous publish record for node-ipc. The package's prior update was in August 2024, creating a 21-month gap before the malicious republishing. Socket noted that this dormancy suggests either newly compromised maintainer credentials or that "atiertant" was specifically added as a maintainer to publish the malicious versions.

This is not the first time node-ipc has delivered harmful functionality. In March 2022, the package maintainer inserted destructive behavior into versions 10.1.1 and 10.1.2 to overwrite files on systems in Russia or Belarus, and later versions included the "peacenotwar" dependency published by the same maintainer as a "non-violent protest against Russia's aggression." Socket characterized the current incident as "a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt."

Remediation guidance for developers, security teams, and maintainers

Socket and StepSecurity recommend immediate steps for anyone using node-ipc. Remove the compromised versions and reinstall known clean releases: 9.2.1 and 12.0.0. Users should assume compromise and rotate credentials and secrets that may have been exposed. Additional recommended actions include auditing npm publish activity for any packages accessible with rotated tokens, reviewing workflow run logs for suspicious activity, auditing cloud logs for unauthorized actions by IAM identities whose credentials may have been leaked during the window of compromise, and blocking egress traffic to the C2 domain.

The incident combines a targeted gating mechanism in one release, indiscriminate execution in others, and dual-network exfiltration techniques that can evade standard DNS logging. For developers and security teams, the immediate task is not only to remove and replace affected packages but to treat token and credential exposure as likely and to search for any downstream activity that could indicate exploitation.

Read the original report: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html