STEPSECURITY has detected multiple malicious releases of the widely used node-ipc npm package, with three confirmed compromised versions: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. The obfuscated payload is designed to fire when the package is required at runtime and aims to exfiltrate cloud credentials, SSH keys, and CI/CD secrets to an external command-and-control server. Project maintainers who install any of these versions, directly or transitively, will pull the compromised release.
Immediate actions recommended include removing the affected versions from package[.]json and lockfiles, pinning node-ipc to a known-clean release, and auditing any system, developer workstation, or CI/CD pipeline that may have installed an affected version. If an affected version was present in a CI/CD environment, secrets exposed to that environment should be rotated, and any exposed credentials treated as compromised.