A supply-chain attack has injected credential-stealing malware into malicious node-ipc versions on npm, affecting a package that is downloaded more than 690,000 times each week. The infostealer collects cloud and developer credentials, then exfiltrates the stolen data using DNS TXT queries after the maintainer account βatiertantβ was compromised. #node-ipc #npm #atiertant
Keypoints
- Malicious code was added to node-ipc versions 9.1.6, 9.2.3, and 12.0.1.
- The malware runs automatically through the CommonJS entrypoint node-ipc.cjs.
- It steals cloud, SSH, Kubernetes, Docker, npm, GitHub, GitLab, and database credentials.
- Data is compressed and exfiltrated through DNS TXT queries instead of HTTP C2 traffic.
- Affected developers should remove the versions, rotate secrets, and inspect lockfiles and npm caches.