Researchers found malicious code in node-ipc versions 9.1.6, 9.2.3, and 12.0.1 that steals developer and cloud credentials, fingerprints the host, and exfiltrates data to a command-and-control domain. The campaign uses obfuscated payloads, DNS-based evasion, and background child processes to quietly continue stealing secrets from affected systems. #nodeipc #sazurestaticprovidernet #Socket #StepSecurity
Keypoints
- Three node-ipc versions were confirmed to contain malicious stealer/backdoor behavior.
- The payload targets developer and cloud secrets, including AWS, Google Cloud, Azure, SSH keys, and GitHub configs.
- Version 12.0.1 only activates on a targeted system matching a SHA-256 fingerprint gate.
- The malware uses HTTPS and DNS-based exfiltration to send stolen data to sh.azurestaticprovider.net.
- Users should remove the compromised versions, rotate credentials, and audit npm and cloud activity.
Read More: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html