Ethical Hacking News
A recent discovery by cybersecurity researchers has revealed a malicious backdoor in the npm package node-ipc, targeting developer secrets and leaving many users vulnerable to potential data breaches. The affected versions of the package were released by an account named "atiertant," which has no connection to the original author. To protect yourself from this threat, it is essential to remove the compromised node-ipc versions, rotate credentials and secrets, audit npm publish activity, and review workflow run logs for suspicious activity.
A malicious backdoor was found in three versions of the npm package node-ipc, leaving users vulnerable to data breaches. The affected versions were released by an account named "atiertant," which has no connection to the original author and appears in the maintainer list with no prior publish history. The malware targets over 90 categories of credentials and transmits stolen data to a fake Azure domain or uses a DNS sink to evade detection. This is not the first time the npm package has incorporated malicious functionality, as it was previously used for destructive capability in March 2022. Users are advised to remove the compromised versions and re-install a clean version, assume compromise, rotate credentials, and review workflow run logs for suspicious activity.
A recent discovery by cybersecurity researchers has shed light on a malicious backdoor found in three versions of the npm package, node-ipc. The malicious activity was identified as "stealer/backdoor behavior" and targeted developer secrets, leaving many users vulnerable to potential data breaches.
The affected versions of the node-ipc package were released by an account named "atiertant," which has no connection to the original author, "riaevangelist." Although "atiertant" appears in the maintainer list, there is no prior publish history in connection with the node-ipc package. The previous update to the package was in August 2024.
The malicious activity does not rely on any npm lifecycle hooks such as preinstall, install, or postinstall scripts, instead appending a malicious payload as an Immediately Invoked Function Expression (IIFE) to the end of "node-ipc.cjs." This causes the malware to fire unconditionally on every require('node-ipc'). The payload is obfuscated and performs a SHA-256 fingerprint check against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code. If the hash matches, it proceeds with system enumeration and comprehensive credential harvesting.
The malicious activity targets 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI, and Kiro IDE settings, Terraform state, database passwords, shell history, and more. The harvested data is then compressed into a GZIP archive and transmitted to the "sh.azurestaticprovider[.]net" domain.
The malware also incorporates a second exfiltration channel besides issuing an HTTPS POST to the fake Azure domain containing the compressed stolen data. It involves encoding chunks of the archive as a DNS TXT record after overriding the system's DNS resolver with Google Public DNS to sidestep local DNS-based security controls.
"It first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP," StepSecurity said. "Then it re-targets the resolver directly at the C2 IP for all exfiltration queries." The direct-to-C2 DNS sink is a notable anti-detection technique, as the exfiltration queries never touch public DNS resolvers, making it difficult to detect.
This is not the first time the npm package has incorporated malicious functionality. In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia's military invasion of Ukraine.
Two subsequent versions – 11.0.0 and 11.1.0 – included the "peacenotwar" dependency, which was also published by the same maintainer as a "non-violent protest against Russia's aggression." The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt.
Users are advised to remove the compromised node-ipc versions and re-install a known clean version (9.2.1 and 12.0.0), assume compromise and rotate credentials and secrets, audit npm publish activity for any packages accessible with the rotated tokens, and review workflow run logs for suspicious activity, audit cloud logs to check if any unauthorized actions were performed by IAM identities whose credentials were available during the compromised window, and block egress traffic to the C2 domain.
The discovery of this malicious backdoor highlights the importance of staying up-to-date with package updates and being cautious when installing new packages. It also underscores the need for organizations to have robust security measures in place to detect and respond to potential threats.
In conclusion, the discovery of a malicious backdoor in the npm package node-ipc serves as a reminder that even seemingly innocuous packages can harbor malicious code. As cybersecurity researchers continue to uncover new threats, it is essential for developers and users alike to remain vigilant and take proactive steps to protect themselves from potential vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Malicious-Backdoor-Discovered-in-npms-node-ipc-Package-A-Threat-to-Developer-Security-ehn.shtml
https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html
Published: Thu May 14 15:58:28 2026 by llama3.2 3B Q4_K_M
