Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New Supply Chain Attack on npm: Malware Injected into Node-IPC Package to Steal Credentials




A new supply chain attack has been discovered that exploits vulnerabilities in the npm ecosystem by injecting malware into the popular node-ipc package. This malicious code steals sensitive information from compromised systems and uses DNS TXT queries to transmit the data to command-and-control servers. Developers who rely on this package should take immediate action to protect themselves, including removing the affected versions, rotating exposed secrets and credentials, and inspecting lockfiles and npm caches.

  • The npm (Node Package Manager) ecosystem has been compromised by a new supply chain attack.
  • The affected package is node-ipc, a popular inter-process communication module for Node.js applications.
  • The malicious versions of node-ipc are v9.1.6, v9.2.3, and v12.0.1.
  • The malware injected into the compromised packages steals sensitive information, including cloud credentials, SSH keys, and database credentials.
  • The attackers use DNS TXT queries to transmit the stolen data to their command-and-control servers, disguising the traffic from security systems.
  • Developers who rely on node-ipc should take immediate action to protect themselves by removing affected versions, rotating exposed secrets and credentials, and inspecting lockfiles and npm caches.



    • The world of cybersecurity is constantly evolving, and one can never be too vigilant when it comes to threats. Recently, a new supply chain attack has been discovered that exploits vulnerabilities in the npm (Node Package Manager) ecosystem. The compromised package is none other than node-ipc, a popular inter-process communication module for Node.js applications.

    The attack was detected by multiple application security companies, including Socket, Ox Security, and Upwind, who confirmed the malicious versions of node-ipc as follows: v9.1.6, v9.2.3, and v12.0.1. This supply chain attack is particularly noteworthy because it highlights the importance of maintaining up-to-date software dependencies and thoroughly reviewing package updates before deploying them in production environments.

    The malware injected into these compromised versions of node-ipc is a sophisticated piece of code that hides within the CommonJS entrypoint (node-ipc.cjs) and executes automatically whenever an application is loaded. The malicious code is heavily obfuscated, making it difficult for security researchers to identify its exact behavior. However, based on analysis by Ox Security, we can infer that this infostealer malware is designed to steal sensitive information from compromised systems.

    According to the researchers, the infostealer in question collects a wide range of information from infected systems, including:

    - Cloud credentials from AWS, Azure, GCP, OCI, DigitalOcean, and others
    - SSH keys and SSH configs
    - Kubernetes, Docker, Helm, and Terraform credentials
    - npm, GitHub, GitLab, and Git CLI tokens
    - .env files and database credentials
    - Shell histories and CI/CD secrets
    - macOS Keychain files and Linux keyrings
    - Firefox profile and key database files (on macOS)
    - Microsoft Teams local storage and IndexedDB paths

    This extensive range of stolen data suggests that the malware's primary goal is to facilitate rapid credential theft and exfiltration, rather than establishing persistence or downloading secondary payloads. To achieve this, the attackers utilize DNS TXT queries as a means of transmitting the stolen data to their command-and-control servers.

    The use of these DNS TXT queries allows the malware to blend in with normal DNS activity, making it more challenging for security systems to detect and block the malicious traffic. According to Socket, exfiltrating a 500 KB compressed archive could generate roughly 29,400 DNS TXT requests, further helping to disguise the traffic.

    Prior to submission, the malware stores the collected data in temporary compressed tar.gz archives, which are then deleted after exfiltration. This deliberate approach helps reduce forensic traces and minimizes the risk of detection by security researchers.

    In light of this new supply chain attack, developers who rely on node-ipc should take immediate action to protect themselves. Removing the affected versions, rotating exposed secrets and credentials, and inspecting lockfiles and npm caches are all essential steps in mitigating the impact of this malicious activity.

    Furthermore, this incident highlights the importance of staying vigilant when it comes to package updates and dependencies. Regularly reviewing package updates and thoroughly testing new software dependencies can significantly reduce the risk of supply chain attacks like this one.

    The world of cybersecurity is constantly evolving, and as such, we must remain committed to ongoing vigilance and proactive measures to protect ourselves against emerging threats. By staying informed about the latest developments in this field and taking steps to secure our systems, we can minimize the impact of malicious activities like this supply chain attack on npm.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Supply-Chain-Attack-on-npm-Malware-Injected-into-Node-IPC-Package-to-Steal-Credentials-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/popular-node-ipc-npm-package-compromised-to-steal-credentials/


    • Published: Fri May 15 13:11:18 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us