Popular node-ipc npm Package Infected with Credential Stealer
Essential information
- Published
- 20/05/2026 13:12
- Modified
- 21/05/2026 16:46
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential stealer developer secrets harvesting dns exfiltration maintainer account takeover node-ipc compromise npm package compromise supply chain attack
- Tags
- 2026-05-20 credential-stealer developer secrets harvesting dns exfiltration maintainer account takeover node-ipc compromise npm package compromise supply chain attack
- Related entities
- 10 indicators, 10 observables, 20 techniques (mitre), 1 malware, 4 others
Description
A supply chain attack has compromised the node-ipc npm package, with malicious versions 9.1.6, 9.2.3, and 12.0.1 containing obfuscated stealer and backdoor functionality. The attack vector involved takeover of a dormant maintainer account through an expired email domain. The malware fingerprints host environments, enumerates and reads local files including SSH keys, cloud credentials, database configurations, and various developer secrets. Collected data is compressed into a gzip archive and exfiltrated via DNS TXT queries to attacker-controlled infrastructure disguised as legitimate Azure domains. The payload targets over 100 file patterns across macOS and Linux systems, focusing on developer credentials from AWS, Azure, GCP, Kubernetes, Docker, npm, GitHub, and numerous other services. The malicious code executes during CommonJS module loading, forking a detached child process to perform credential harvesting while avoiding detection through obfuscation and DNS-based covert channels.