Stealer Backdoor Confirmed in Three node-ipc npm Versions Targeting Developer Secrets

TL;DR — Three versions of the widely used npm package node-ipc (9.1.6, 9.2.3, 12.0.1) have been confirmed to contain obfuscated malware that harvests 90 categories of developer and cloud credentials, including AWS keys, SSH credentials, Kubernetes tokens, and database passwords. The malicious code was published by an account with no prior history on the package and uses multiple exfiltration channels to transmit stolen data to a command-and-control server. Organizations must immediately rotate credentials and audit systems for unauthorized activity.

What happened

Socket and StepSecurity identified three malicious versions of node-ipc published under the account "atiertant," which has no connection to the original maintainer "riaevangelist." The previous legitimate update to the package was in August 2024, creating a 21-month gap before these compromised versions appeared.

The payload does not rely on npm lifecycle hooks (preinstall, install, postinstall). Instead, it appends an Immediately Invoked Function Expression (IIFE) to the end of node-ipc.cjs, triggering execution unconditionally whenever the package is required at runtime.

According to StepSecurity, the malware fingerprints the host environment, enumerates and reads local files, compresses data, wraps the payload in a cryptographic envelope, and attempts exfiltration through multiple channels to the domain sh.azurestaticprovider[.]net.

Version 12.0.1 performs a SHA-256 fingerprint check against a hard-coded hash before proceeding with credential harvesting. This hash is assembled from eight obfuscated table fragments embedded in the code. StepSecurity researcher Sai Likhith noted that "the attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing." Version 12.0.1 remains inert on any system whose primary module path does not match the target hash. Versions 9.1.6 and 9.2.3 contain no such gate and execute the full payload on any system that loads them.

The malware targets 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, and shell history.

Why it matters

node-ipc is a widely downloaded npm package used for inter-process communication in Node.js applications. Its presence in development environments and CI/CD pipelines means compromised versions could affect a broad range of projects and automation systems.

The malware's design reflects a shift in supply chain attacks toward infrastructure-aware credential harvesting. Rather than generic malware, it specifically targets identities and automation systems powering software delivery pipelines. The use of multiple exfiltration channels—HTTPS POST and DNS TXT encoding—and anti-detection techniques (overriding DNS resolvers, forking background processes) demonstrates sophistication intended to evade standard security monitoring.

The direct-to-C2 DNS technique is particularly noteworthy. By resolving sh.azurestaticprovider.net through public DNS (1.1.1.1 or 8.8.8.8) and then redirecting subsequent exfiltration queries directly to the C2 IP address, the malware avoids generating observable activity in corporate DNS logs. Organizations relying solely on DNS logging through internal resolvers would not detect this traffic.

Additionally, the malware forks itself into detached background child processes, allowing credential exfiltration to continue silently after the parent Node.js process terminates. This persistence mechanism increases the window for data theft.

Affected systems and CVEs

node-ipc@9.1.6 (malicious)
node-ipc@9.2.3 (malicious)
node-ipc@12.0.1 (malicious)
Clean versions: 9.2.1 and 12.0.0

No CVE assigned at the time of publication.

What to do

Remove compromised node-ipc versions (9.1.6, 9.2.3, 12.0.1) immediately and reinstall clean versions (9.2.1 and 12.0.0).
Assume compromise of all credentials and secrets available on systems that loaded the malicious versions during the exposure window. Rotate credentials for AWS, Google Cloud, Azure, SSH, Kubernetes, GitHub, and any other systems accessed by compromised developer machines.
Audit npm publish activity for any packages accessible with the rotated tokens to detect whether stolen credentials were used to publish or modify other packages.
Review CI/CD workflow run logs for suspicious activity, including unexpected commands, authentication attempts, or deployments that occurred during the exposure window.
Audit cloud logs (CloudTrail for AWS, Cloud Audit Logs for Google Cloud, Activity Log for Azure) to identify any unauthorized actions performed by IAM identities whose credentials were available on compromised systems.
Block egress traffic to sh.azurestaticprovider[.]net at the network perimeter.

Open questions

Whether the "atiertant" account credentials were compromised or the account was specifically added as a maintainer for the purpose of publishing malicious versions.
The identity and motivation of the threat actor responsible for the malicious versions.
The extent of actual credential exfiltration that occurred and how many organizations were affected.
How long the malicious versions remained available in npm before removal.