Popular node-ipc npm Package Infected with Credential Stealer

MITRE Techniques

• [T1082 ] System Information Discovery – The payload fingerprints the host using OS APIs and uname output (‘fingerprint the host environment’ and ‘runs uname -a’).
• [T1083 ] File and Directory Discovery – It enumerates and reads local files across many secret locations (‘enumerate and read local files’).
• [T1016 ] System Network Configuration Discovery – It collects network-relevant host data including hostname and OS context (‘os.hostname()’ and ‘builds a host fingerprint’).
• [T1005 ] Data from Local System – It harvests files such as SSH keys, kube configs, npm tokens, and environment files (‘SSH keys’, ‘Kubernetes’, ‘npm’, and ‘.env’).
• [T1057 ] Process Discovery – It collects process environment data and shell history that can reveal active tooling and secrets (‘sorted process.env entries’).
• [T1027 ] Obfuscated Files or Information – The malware is embedded as an obfuscated IIFE in the CommonJS bundle (‘single obfuscated IIFE’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data is exfiltrated through DNS TXT queries (‘attempt exfiltration through a network endpoint selected via DNS/address logic’ and ‘uses DNS TXT queries’).
• [T1132 ] Data Encoding – The archive is transformed with gzip, base64, XOR, and character substitution before transport (‘gzip archive to base64 text’ and ‘substitute characters’).
• [T1560.001 ] Archive Collected Data: Archive via Utility – It builds a tar.gz archive of collected files before exfiltration (‘builds a POSIX ustar archive in memory’).
• [T1055 ] Process Injection – Not observed in the article; no evidence of injection was described.
• [T1105 ] Ingress Tool Transfer – Not observed in the article; no download-and-execute stage was described.
• [T1106 ] Native API – The payload uses Node.js child_process, fs, path, os, and dns APIs to run its logic (‘child_process.fork’, ‘resolveTxt()’, and filesystem operations).