### Compromised Versions **Socket** and **StepSecurity** have identified three malicious versions of the **node-ipc** package: * [email protected] * [email protected] * [email protected] These versions contain obfuscated stealer/backdoor behavior designed to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic. ### Secret Exfiltration The malicious code attempts to exfiltrate a wide range of developer and cloud secrets to an external command-and-control (C2) server. This includes over 90 categories of credentials, such as **Amazon Web Services**, **Google Cloud**, **Microsoft Azure**, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, and shell history. The harvested data is compressed into a GZIP archive and transmitted to the `sh.azurestaticprovider[.]net` domain. ### Account Compromise The compromised versions were published by an account named "atiertant," which is not connected to the package's original author, "riaevangelist." The "atiertant" account had no prior publish history related to the **node-ipc** package, suggesting a potential account compromise or malicious addition as a maintainer. ### Technical Analysis  Unlike typical attacks relying on NPM lifecycle hooks, this attack appends the malicious payload as an Immediately Invoked Function Expression (IIFE) to the end of `node-ipc.cjs`, causing the malware to execute unconditionally upon `require('node-ipc')`. Version 12.0.1 includes a SHA-256 fingerprint check, comparing it against a hard-coded hash. This means 12.0.1 is only active on machines where the primary module path matches the target hash. Versions 9.x lack this gate and will execute the full payload on any system that loads them. ### Anti-Detection Techniques The malware employs a secondary exfiltration channel using DNS TXT records after overriding the system's DNS resolver with **Google** Public DNS to bypass local DNS-based security. It resolves `sh.azurestaticprovider.net` using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP, then targets the resolver directly at the C2 IP for all exfiltration queries. This direct-to-C2 DNS sink is a notable anti-detection technique, as exfiltration queries never touch public DNS resolvers, making the activity invisible to organizations relying solely on DNS logging through corporate resolvers. Additionally, the malware attempts to continue execution independently by forking itself into detached background child processes, allowing exfiltration to persist even after the parent application terminates. ### Implications "This campaign reflects how software supply chain attacks are evolving beyond simple malicious packages into infrastructure-aware credential harvesting operations," said Avital Harel, security research lead at **Upwind**. "Attackers are increasingly targeting the identities and automation systems powering modern software delivery pipelines while designing malware specifically to blend into normal developer and application behavior." ### Recommendations Users are advised to: * Remove the compromised **node-ipc** versions and re-install a known clean version (9.2.1 and 12.0.0). * Assume compromise and rotate credentials and secrets. * Audit NPM publish activity for any packages accessible with the rotated tokens. * Review workflow run logs for suspicious activity. * Audit cloud logs to check for unauthorized actions performed by IAM identities whose credentials were available during the compromised window. * Block egress traffic to the C2 domain.