Exfiltrating a 500 KB compressed archive could generate roughly 29,400 DNS TXT requests — a volume the attackers relied on to hide stolen credentials inside what looks like ordinary DNS traffic.
node-ipc: a widely used inter-process library
node-ipc is a Node.js module that enables processes to communicate across Unix, Windows, UDP, TLS and TCP sockets. Despite a controversial, politically motivated change in March 2022, the package still had more than 690,000 weekly downloads on npm at the time the new compromise was reported. That reach is why a malicious update to this single library presents a significant supply-chain risk for developer environments and CI systems that pull dependencies from npm.
Confirmed malicious releases and behavior
Application-security companies Socket, Ox Security, and Upwind independently detected and confirmed three malicious node-ipc versions: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. The hostile code is embedded in the CommonJS entrypoint (node-ipc.cjs) and executes automatically whenever applications load the module.
The infostealer is heavily obfuscated and performs several automated steps: it fingerprints the host, collects environment variables and sensitive local files, stores findings in temporary compressed tar.gz archives, exfiltrates those archives, and then deletes them to reduce forensic traces. The malware intentionally skips files larger than 4 MiB and avoids scanning .git and node_modules directories to increase efficiency and lower operational noise on infected hosts. Researchers found no persistence mechanism and no secondary payload downloads; the operation appears narrowly focused on rapid credential theft and exfiltration.
What the malware stole
- Cloud credentials — AWS, Azure, GCP, OCI, DigitalOcean, and others
- SSH keys and SSH configurations
- Kubernetes, Docker, Helm, and Terraform credentials
- Tokens for npm, GitHub, GitLab, and Git CLI
- .env files and database credentials
- Shell histories and CI/CD secrets
- macOS Keychain files and Linux keyrings
- Firefox profile and key database files (on macOS)
- Microsoft Teams local storage and IndexedDB paths
By focusing on credentials, tokens and local key stores rather than installing backdoors, the campaign is tailored to fast-value theft rather than long-run footholds.
DNS TXT exfiltration and the fake Azure-themed bootstrap
Rather than using conventional HTTP-based command-and-control channels, the attackers exfiltrated data using DNS TXT queries. Researchers observed a fake Azure-themed bootstrap resolver at sh[.]azurestaticprovider[.]net:443 that the malware used to transmit data to bt[.]node[.]js with query prefixes like xh, xd, and xf. Because DNS traffic is ubiquitous and often less scrutinized than web traffic, the adversary’s choice increases the chance that large-scale exfiltration will blend into normal activity; Socket’s analysis found that a single 500 KB compressed archive could generate roughly 29,400 DNS TXT requests during exfiltration.
Compromise of an inactive maintainer account and March 2022 context
Researchers attribute the latest compromise to an external actor who gained access to the account of an inactive maintainer identified as 'atiertant.' That is distinct from an earlier incident in March 2022 when the package’s maintainer published weaponized versions that targeted systems in Russia and Belarus with a data-overwriting module in protest of the Russian invasion of Ukraine. The current operation, by contrast, uses an injected infostealer focused on collecting and exporting credentials.
What this means for developers, security teams, and procurement leaders
Potentially impacted developers are urged to take immediate, concrete steps that were explicitly recommended by the reporting: remove the affected versions (node-ipc@9.1.6, 9.2.3, and 12.0.1), rotate any exposed secrets and credentials, and inspect lockfiles and npm caches for traces of the malicious releases. Because the malware targeted a wide range of credential stores — cloud providers, container tooling, Git hosting tokens, local keyrings and CI/CD secrets — response teams will need to assume lateral exposure across development, build, and cloud environments.
Procurement and engineering leaders should note the scale of node-ipc’s usage (hundreds of thousands of weekly downloads) and the operational reality called out in the reporting: automated pentesting tools were built to answer one question — “can an attacker move through the network?” — but they were not built to verify whether controls block threats, whether detection rules fire, or whether cloud configurations hold. That gap matters when an attacker uses dependency updates and DNS-based exfiltration to evade conventional controls.
The immediate fact is simple and urgent: specific node-ipc releases were weaponized to harvest credentials and exfiltrate them via DNS. Remove the identified versions, rotate secrets, and inspect caches and lockfiles. Beyond that, defenders are left to reconcile how a routine package update turned into a high-volume credential grab that never needed a persistent implant to inflict damage.
