Popular node-ipc npm Package Infected with Credential Stealer
The node-ipc npm package was compromised in a supply chain attack affecting versions 9. 1. 6, 9. 2. 3, and 12. 0. 1. Malicious code was introduced via takeover of a dormant maintainer account through an expired email domain. The malware harvests developer credentials and secrets by fingerprinting host environments and reading over 100 file patterns on macOS and Linux systems, including SSH keys, cloud credentials, and configuration files. Collected data is compressed and exfiltrated covertly using DNS TXT queries to attacker-controlled domains masquerading as legitimate Azure infrastructure.
AI Analysis
Technical Summary
This threat involves a supply chain compromise of the node-ipc npm package, where attacker-controlled versions 9.1.6, 9.2.3, and 12.0.1 contain obfuscated credential stealing and backdoor functionality. The attack vector was the takeover of a dormant maintainer account via an expired email domain. The malware fingerprints the host environment and enumerates local files, targeting developer secrets such as SSH keys, cloud service credentials (AWS, Azure, GCP), Kubernetes, Docker, npm, and GitHub credentials. It compresses the stolen data into gzip archives and exfiltrates it through DNS TXT queries to domains controlled by the attacker but disguised as legitimate Azure domains. Execution occurs during CommonJS module loading, with a detached child process performing the credential harvesting to avoid detection. Indicators include malicious domains and file hashes linked to the campaign. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The compromise allows attackers to steal a wide range of developer credentials and secrets from affected systems, potentially enabling unauthorized access to cloud services, source code repositories, and other critical infrastructure. This can lead to further compromise of development environments and cloud resources. The use of DNS-based exfiltration and obfuscation techniques increases the difficulty of detection and containment. However, no known active exploitation campaigns have been confirmed at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is available, users should avoid using the affected versions (9.1.6, 9.2.3, and 12.0.1) of the node-ipc package. Consider auditing existing environments for the presence of these versions and removing or replacing them. Monitor for suspicious DNS queries and network traffic to the identified malicious domains. Implement strict supply chain security practices, including verifying package integrity and maintaining control over maintainer accounts and email domains associated with package publishing.
Indicators of Compromise
- domain: sh.azurestaticprovider.net
- ip: 37.16.75.69
- hash: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
- hash: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
- hash: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
- hash: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
- url: http://sh.azurestaticprovider.net:443
- hash: bf9d8c0c3ed3ceaa831a13de27f1b1c7c7b7f01d2db4103bfdba4191940b0301
- domain: atlantis-software.net
- domain: child.channel
Popular node-ipc npm Package Infected with Credential Stealer
Description
The node-ipc npm package was compromised in a supply chain attack affecting versions 9. 1. 6, 9. 2. 3, and 12. 0. 1. Malicious code was introduced via takeover of a dormant maintainer account through an expired email domain. The malware harvests developer credentials and secrets by fingerprinting host environments and reading over 100 file patterns on macOS and Linux systems, including SSH keys, cloud credentials, and configuration files. Collected data is compressed and exfiltrated covertly using DNS TXT queries to attacker-controlled domains masquerading as legitimate Azure infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a supply chain compromise of the node-ipc npm package, where attacker-controlled versions 9.1.6, 9.2.3, and 12.0.1 contain obfuscated credential stealing and backdoor functionality. The attack vector was the takeover of a dormant maintainer account via an expired email domain. The malware fingerprints the host environment and enumerates local files, targeting developer secrets such as SSH keys, cloud service credentials (AWS, Azure, GCP), Kubernetes, Docker, npm, and GitHub credentials. It compresses the stolen data into gzip archives and exfiltrates it through DNS TXT queries to domains controlled by the attacker but disguised as legitimate Azure domains. Execution occurs during CommonJS module loading, with a detached child process performing the credential harvesting to avoid detection. Indicators include malicious domains and file hashes linked to the campaign. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The compromise allows attackers to steal a wide range of developer credentials and secrets from affected systems, potentially enabling unauthorized access to cloud services, source code repositories, and other critical infrastructure. This can lead to further compromise of development environments and cloud resources. The use of DNS-based exfiltration and obfuscation techniques increases the difficulty of detection and containment. However, no known active exploitation campaigns have been confirmed at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or update is available, users should avoid using the affected versions (9.1.6, 9.2.3, and 12.0.1) of the node-ipc package. Consider auditing existing environments for the presence of these versions and removing or replacing them. Monitor for suspicious DNS queries and network traffic to the identified malicious domains. Implement strict supply chain security practices, including verifying package integrity and maintaining control over maintainer accounts and email domains associated with package publishing.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/node-ipc-package-compromised"]
- Adversary
- null
- Pulse Id
- 6a0d970e99916e7e7e17c893
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainsh.azurestaticprovider.net | — | |
domainatlantis-software.net | — | |
domainchild.channel | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip37.16.75.69 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 | — | |
hash78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 | — | |
hashc2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea | — | |
hash449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e | — | |
hashbf9d8c0c3ed3ceaa831a13de27f1b1c7c7b7f01d2db4103bfdba4191940b0301 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://sh.azurestaticprovider.net:443 | — |
Threat ID: 6a0f32f9e1370fbb4819e5e6
Added to database: 5/21/2026, 4:29:45 PM
Last enriched: 5/21/2026, 4:44:55 PM
Last updated: 5/21/2026, 7:01:52 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.