node-ipc Hijacked via Expired Domain, Steals 90+ Credential Types

Three malicious versions of node-ipc, a foundational Node.js inter-process communication library with over 10 million weekly downloads, were published to npm on May 14, 2026. The packages contain an obfuscated credential stealer that harvests over 90 categories of secrets and exfiltrates them through multiple channels designed to evade detection.

The attack succeeded because the original maintainer's email domain expired. An attacker re-registered it through Namecheap on May 7, 2026, gaining password reset access to the npm account.

Affected Versions

The compromised packages are:

• [email protected]
• [email protected]
• [email protected]

These were published by an account named "atiertant" that had no prior connection to the package's legitimate author, "riaevangelist." The last clean release was in August 2024—a 21-month gap that should have raised flags.

How the Attack Works

Unlike typical npm supply chain attacks that use lifecycle hooks (preinstall, install, postinstall), this payload appends an Immediately Invoked Function Expression (IIFE) to the end of node-ipc.cjs. The malware fires unconditionally on every require('node-ipc') call, bypassing installation-stage security scanners.

According to StepSecurity researchers, version 12.0.1 includes a SHA-256 fingerprint check comparing against hard-coded hash fragments. The package remains inert unless the primary module path matches the target value—suggesting the attackers had specific high-value projects in mind.

What Gets Stolen

The credential harvester targets approximately 90 credential categories:

• Cloud providers: AWS, Google Cloud Platform, Microsoft Azure credentials
• Infrastructure: SSH keys, Kubernetes tokens, Terraform state files
• Development tools: GitHub CLI configs, npm tokens, database passwords
• AI tooling: Claude AI and Kiro IDE settings
• System data: Shell history, environment variables

The stolen data undergoes GZIP compression before exfiltration.

Exfiltration Techniques

The malware uses two channels to extract data:

HTTPS POST: Direct transmission to sh.azurestaticprovider[.]net, a fake Azure domain designed to blend into legitimate traffic.

DNS TXT Records: Encoded archive chunks bypass corporate DNS security by first overriding local resolvers with Google Public DNS (8.8.8.8, 1.1.1.1), then directly querying the attacker's C2 server. Organizations monitoring only their own DNS infrastructure would miss this entirely.

The malware also forks into detached background child processes, continuing exfiltration even after the parent Node.js application terminates.

Immediate Actions

If you installed any affected version:

1. Remove compromised packages: npm uninstall node-ipc then reinstall clean versions
2. Assume full compromise: Rotate all credentials and secrets on affected systems
3. Audit npm publish permissions: Check if any packages you maintain used stolen tokens
4. Review CI/CD logs: Look for unauthorized actions during the compromise window
5. Block the C2 domain: Add sh.azurestaticprovider[.]net to your blocklist
6. Check cloud audit logs: Review IAM actions for unauthorized access

Clean versions to install:

• For 9.x users: npm install [email protected]
• For 12.x users: npm install [email protected]

The Bigger Picture

This attack mirrors the TanStack supply chain compromise we covered last week, where attackers also used expired domain re-registration to hijack maintainer accounts. The RubyGems GemStuffer campaign earlier this week used similar exfiltration techniques targeting developer credentials.

Package repositories have become prime targets. npm alone hosts over 2 million packages, many maintained by individuals without security resources. Email domain expiration represents a systemic weakness—maintainers often don't realize their identity can be stolen years after they stop actively maintaining a project.

Organizational Defenses

Beyond reactive response, consider:

• Lock dependency versions: Use exact versions in package.json rather than ranges
• Monitor for unexpected updates: Alert when dependencies publish after long dormancy
• Verify maintainer continuity: Check if maintainer accounts or emails changed recently
• Network-level monitoring: The DNS exfiltration technique bypasses endpoint detection
• Supply chain security tools: Solutions like Socket, Snyk, and Semgrep can detect behavioral anomalies

For teams building with JavaScript, this is a reminder that your dependencies are part of your attack surface. The node-ipc attack analysis from Socket provides additional IOCs and detection guidance.