Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Supply‑chain attacks on open‑source libraries have surged, and the latest compromise of node‑ipc underscores the growing sophistication of threat actors. The three malicious releases were published by an unfamiliar maintainer, hijacking a dormant package that previously enjoyed high download counts. By embedding an Immediately Invoked Function Expression directly into the compiled module, the code runs on every require call, sidestepping npm's pre‑install and post‑install scripts that many security tools monitor. This approach makes detection harder, especially when the payload is obfuscated and only activates under specific conditions.

Technical analysis reveals a multi‑layered exfiltration strategy. Version 12.0.1 includes a SHA‑256 fingerprint check that limits execution to a targeted project whose entry point hashes to a pre‑computed value, while the 9.x releases fire indiscriminately. Once triggered, the malware gathers a broad spectrum of secrets—cloud API keys, SSH keys, Kubernetes tokens, and even IDE settings—compresses them into a GZIP archive, and sends the payload to a counterfeit Azure subdomain. To avoid traditional DNS logging, it overwrites the system resolver, directs queries to Google Public DNS for C2 discovery, and then tunnels data via DNS TXT records straight to the attacker’s server, effectively bypassing corporate DNS monitoring.

For enterprises and development teams, the incident is a stark reminder to enforce strict package provenance controls and continuous monitoring of dependency trees. Immediate remediation steps include removing the tainted versions, reinstalling a known clean release, and rotating all potentially exposed credentials. Organizations should also audit npm publish activity, scrutinize workflow logs for anomalous require calls, and enforce egress filtering to block traffic to suspicious domains. As supply‑chain threats evolve, adopting automated SBOM generation and runtime integrity checks will become essential components of a resilient software development lifecycle.