CYBERSECURITY researchers have flagged malicious activity in three published versions of the node-ipc npm package, specifically node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1, with early analysis from Socket and StepSecurity describing obfuscated stealer/backdoor behaviour.
The malware appears to fingerprint the host, enumerate and read local files, and exfiltrate a broad set of developer and cloud secrets to a C2 server, wrapping the data in a cryptographic envelope before sending it via an HTTPS POST and also as DNS TXT records. Notably, the payload is appended as an Immediately Invoked Function Expression to the end of node-ipc[.]cjs, causing it to execute unconditionally on every require('node-ipc') load, with a SHA-256 gate that only activates for certain target entry points.
The three versions were published by an account named "atiertant" linked to the maintainer list, though the original author is "riaevangelist"; the last update prior to this incident was in August 2024. Users are advised to remove the compromised versions and reinstall known clean ones (9.2.1 and 12.0.0), rotate credentials, audit npm publish activity and cloud logs, and block egress traffic to the C2 domain sh.azurestaticprovider[.]net.