Backdoored node-ipc npm releases steal developer credentials through DNS queries

MITRE Techniques

• [T1059.006 ] Command and Scripting Interpreter: JavaScript – Executes malicious logic through the Node.js CommonJS entrypoint when loaded via require(“node-ipc”) (‘runs when the package’s CommonJS entrypoint is loaded’).
• [T1105 ] Ingress Tool Transfer – Prepares and stages collected data into a gzip-compressed tar archive for exfiltration (‘builds a gzip-compressed tar archive’).
• [T1036 ] Masquerading – Uses benign-looking package behavior and filenames while hiding malicious collection and exfiltration logic in node-ipc.cjs (‘backdoored CommonJS entrypoint’).
• [T1027 ] Obfuscated Files or Information – Encodes archive data with gzip, base64, XOR, and a shuffled alphabet before DNS transmission (‘XORs that text with a SHA-256-derived keystream’).
• [T1041 ] Exfiltration Over C2 Channel – Sends stolen data out through DNS TXT queries to a remote endpoint (‘attempts to exfiltrate that archive through DNS TXT queries’).
• [T1071.004 ] Application Layer Protocol: DNS – Uses DNS as the command-and-control and transport channel (‘the command and control (C2) channel uses DNS, not HTTP’).
• [T1005 ] Data from Local System – Collects local files such as /etc/hosts, uname output, environment variables, and credential files (‘collects host and credential files into an archive’).
• [T1082 ] System Information Discovery – Gathers host fingerprinting data including uname -a and host information (‘Output from uname -a, when available’).
• [T1033 ] System Owner/User Discovery – Uses environment and host-derived information to fingerprint the machine and build identifiers (‘machineHex is derived from host fingerprinting’).
• [T1021 ] Remote Services – Leverages SSH and Kubernetes-related credentials among the collected targets (‘SSH and Kubernetes material’).