Popular node-ipc npm Package Infected with Credential Stealer

What Happened

A popular software building block called node-ipc was recently hijacked to include malicious code. When developers or automated systems use the compromised versions, the hidden code steals passwords, cloud keys, and other sensitive information from their computers. This stolen data is then secretly sent to the attackers using the internet's address book system (DNS) to avoid detection. Anyone using this software should immediately check their systems, remove the bad versions, and change any passwords or keys that might have been exposed.

Key Takeaways

• Malicious versions of the node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were published containing an obfuscated credential stealer.
• The malware executes upon CommonJS module load, forks a detached child process, and harvests developer secrets, cloud credentials, and environment variables.
• Stolen data is compressed into a local tar.gz archive and exfiltrated via chunked DNS TXT queries to an attacker-controlled zone.
• The compromise likely occurred via a maintainer account takeover using an expired email domain (atlantis-software.net).
• The payload uses a deliberate lookalike domain (sh.azurestaticprovider.net) as a bootstrap DNS resolver to blend in with legitimate Azure traffic.

Affected Systems

• Node.js environments
• Developer workstations
• CI/CD pipelines using affected versions of the node-ipc npm package

Attack Chain

The attack begins when a developer or CI environment installs and loads a compromised version of the node-ipc package via CommonJS. Upon loading, an obfuscated IIFE executes, fingerprinting the host and forking a detached child process. The child process recursively searches for and archives developer secrets, cloud credentials, and environment variables into a temporary gzip file. Finally, the malware exfiltrates the compressed archive via chunked DNS TXT queries to an attacker-controlled zone before attempting to delete the temporary file.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but outlines behavioral patterns, file hashes, and network IOCs suitable for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can observe the Node.js process spawning a detached child, executing 'uname -a', and writing/deleting temporary .tar.gz files, but the in-memory CommonJS execution might evade static file analysis if heavily obfuscated. Network Visibility: High — The exfiltration relies on a massive volume of DNS TXT queries (up to 29,400 for a 500KB archive) to a specific zone, which is highly anomalous and visible in DNS logs. Detection Difficulty: Moderate — While the initial payload is obfuscated, the sheer volume of DNS TXT queries and the specific temporary file creation patterns provide strong, reliable detection opportunities.

Required Log Sources

• DNS Query Logs
• Process Creation Logs
• File System Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for Node.js processes spawning detached child processes that subsequently execute 'uname -a' or perform extensive file reads in user home directories.	Process Creation Logs, Command Line Arguments	Execution / Collection	Low
Evaluate DNS logs for unusually high volumes of TXT record queries, particularly those with labels starting with 'xh', 'xd', or 'xf', or queries directed to 'bt.node.js'.	DNS Query Logs	Exfiltration	Low
If you have visibility into file system events, consider hunting for the creation and rapid deletion of .tar.gz files in temporary directories with the naming convention 'nt-<pid>'.	File System Logs	Collection	Low

Control Gaps

• Standard HTTP/HTTPS egress filtering (bypassed via DNS exfiltration)
• Static AV scanning (bypassed via obfuscated CommonJS payload)

Key Behavioral Indicators

• High volume of DNS TXT queries from a single host
• Node.js process setting environment variable __ntw=1
• Creation of temporary directory matching nt-<pid>

False Positive Assessment

• Low. The specific IOCs, such as the DNS exfiltration zone and the malicious package hashes, are highly specific to this threat and unlikely to occur legitimately.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify and remove compromised node-ipc versions (9.1.6, 9.2.3, 12.0.1) from all environments and reinstall known-clean versions.
• Check package-lock.json, yarn.lock, pnpm-lock.yaml, and local npm caches for the malicious node-ipc.cjs hash.
• If the compromised package was loaded, consider rotating all exposed secrets, including SSH keys, cloud provider tokens, and database credentials.

Infrastructure Hardening

• Evaluate implementing DNS filtering to block queries to known malicious domains like sh.azurestaticprovider.net and bt.node.js.
• Consider restricting outbound DNS traffic from CI/CD environments to only approved internal resolvers.

User Protection

• Where supported by your tooling, avoid exposing long-lived secrets through process environment variables.
• Consider transitioning to short-lived cloud credentials and scoped tokens for development and CI workflows.

Security Awareness

• Educate development teams on the risks of supply chain attacks and the importance of reviewing package entrypoints during dependency updates.

MITRE ATT&CK Mapping

• T1195.001 - Compromise Software Dependencies and Development Tools
• T1082 - System Information Discovery
• T1552.001 - Credentials In Files
• T1552.004 - Private Keys
• T1074.001 - Local Data Staging
• T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

Additional IOCs

• File Hashes:
  • 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e (SHA256) - Hash of the malicious node-ipc-9.1.6.tgz package tarball.
  • c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea (SHA256) - Hash of the malicious node-ipc-9.2.3.tgz package tarball.
  • 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 (SHA256) - Hash of the malicious node-ipc-12.0.1.tar.gz package tarball.
• File Paths:
  • node-ipc.cjs - The CommonJS entrypoint file where the malicious obfuscated IIFE payload is appended.
• Command Lines:
  • Purpose: Host fingerprinting fallback if Node.js OS APIs fail. | Tools: uname | Stage: Reconnaissance | uname -a
• Other:
  • __ntw=1 - Environment variable set by the payload to distinguish the detached child execution path.
  • __ntRun - Exported runner property exposed by the malicious payload.
  • qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi - Decoded payload key used for authentication and encoding.
  • Oct 26 1985 - Forensic artifact timestamp present on every file within the reviewed malicious tarballs.