A Node.js package that pushes 690,000 downloads a week just shipped malware that hoovers up AWS keys, SSH configs, Kubernetes credentials, GitHub tokens, and macOS Keychain files — then smuggles the loot out through DNS queries disguised as normal traffic. If your CI pipeline pulled node-ipc versions 9.1.6, 9.2.3, or 12.0.1 in the last few days, you should assume every secret on that build host is already gone.
node-ipc has been weaponized before. The first time, in March 2022, the maintainer himself shipped a protest payload that wiped files on systems geolocated to Russia and Belarus. That incident should have killed the package. It didn’t. Three years later, an external attacker took over an inactive maintainer account named ‘atiertant’ and turned the same dependency into an industrial-grade credential stealer. The lesson is not that one package is cursed. The lesson is that the npm ecosystem still has no real answer for what happens when a high-trust account goes dark.
Why a Stealer Hiding in node-ipc Is Worse Than Your Average Supply Chain Hit
According to coordinated reports from Socket, Ox Security, and Upwind, the malicious code lives inside the CommonJS entrypoint node-ipc.cjs and fires automatically the moment any application loads the module. There is no specific function call required and no trigger condition to bypass — require('node-ipc') is enough to detonate the payload on the host.
The researchers list cloud credentials from AWS, Azure, GCP, OCI, and DigitalOcean; SSH keys and configs; Kubernetes, Docker, Helm, and Terraform credentials; npm, GitHub, GitLab, and Git CLI tokens; .env files and database credentials; shell histories and CI/CD secrets; macOS Keychain files and Linux keyrings; Firefox profile data on macOS; and Microsoft Teams local storage paths. That’s a complete checklist for lateral movement across a developer’s machine.
If you run a Node.js service on a build agent that holds long-lived AWS keys, a single tainted npm install is enough to hand an attacker your production. The malware skips files larger than 4 MiB and avoids walking .git and node_modules directories, which is the kind of optimization you only write when you have done this before and know exactly which paths slow you down. That’s not experimentation — it’s a tuned operation.
My take: the next wave of npm-borne malware will continue specializing in cloud and CI/CD secrets because that is where the money is. Stealing a junior dev’s bash history is a side effect; stealing the GitHub Actions token that deploys to prod is the goal.
DNS TXT Exfiltration Is the Real Innovation Here
The most interesting tradecraft is not the stealer itself but how it gets the data out. Instead of POSTing to a command-and-control server over HTTPS, the malware exfiltrates compressed archives through DNS TXT queries, using a fake Azure-themed bootstrap resolver at sh.azurestaticprovider.net:443 and shipping data to bt.node.js with query prefixes like xh, xd, and xf.
Socket calculated that exfiltrating a single 500 KB compressed archive generates roughly 29,400 DNS TXT requests. That sounds noisy, and it is — but it blends into the absolute torrent of DNS traffic that any developer laptop or build server already generates. Most outbound firewall rules permit DNS without inspection. Most SIEMs do not alert on TXT query volume from a developer endpoint because nobody has a useful baseline for what “normal” looks like.
If you are a security team that watches HTTP egress religiously but treats UDP/53 as benign infrastructure plumbing, you are exactly the target audience for this attack. A practical scenario: your developer pulls the bad version on Monday morning, the stealer runs during their npm test, and by lunch your cloud keys are exfiltrated through your own resolver — never touching the web proxy or the egress filter you spent the quarter tuning. Teams managing sensitive workloads — think healthcare platforms handling patient data or fintechs running identity verification pipelines — should treat unmonitored DNS as a live exfil channel, not a quiet one.
Prediction: within twelve months, more than one major DLP vendor will ship “DNS exfiltration detection” as a marquee feature, and we’ll see at least one mainstream EDR add per-process DNS volume baselining.
The Dormant Maintainer Problem Is npm’s Real Vulnerability
The compromise itself happened because an inactive maintainer account got taken over. That is not a bug in node-ipc — it’s a structural feature of every package registry that lets long-tail accounts retain publish rights forever. npm, PyPI, RubyGems, Crates.io, and Maven all have the same problem to varying degrees: trust accrues over years, accounts go silent, and nobody notices when one of them suddenly publishes a new version with a different CommonJS entrypoint.
For a working dev team, the implication is brutal. Pinning versions doesn’t help if you have ever run npm install with a caret range. Lockfiles don’t help if you update them. Even SBOMs only tell you what you shipped — not whether the upstream account that published it is still controlled by the same human. The same auditability gap shows up in other domains where dependency provenance matters, and the answers there — verifiable signing, hardware-backed identity, mandatory MFA on publish — are slowly arriving in package land too. npm now requires 2FA for top packages, but “top” is not the whole long tail, and one-time 2FA at publish does not stop an attacker who phishes the session.
If you’re running a Node.js shop today, the practical move is to assume any transitive dependency can turn hostile and architect for blast radius reduction: short-lived CI tokens, scoped cloud roles, no developer machines with prod keys, and egress allowlists that include DNS resolvers. The Socket, Ox, and Upwind advisories all say the same thing — remove the bad versions, rotate every exposed secret, and audit your lockfiles and npm caches. Do that today, not Monday.
FAQ
Q: How do I know if my project pulled a malicious version of node-ipc?
A: Check package-lock.JSON, yarn.lock, or pnpm-lock.YAML for node-ipc@9.1.6, 9.2.3, or 12.0.1. Also inspect your npm cache (~/.npm/_cacache) and any CI build logs from the past week. If you find any of the three versions, treat every credential that touched that environment as compromised.
Q: What is DNS TXT exfiltration and why is it hard to detect? A: DNS TXT records were designed to carry arbitrary text alongside domain lookups. Malware can chunk stolen data into thousands of small TXT queries that look like ordinary DNS traffic, bypassing HTTP-based egress filters and proxies that don’t inspect port 53. Detection requires baselining per-host DNS query volume and watching for unusual subdomain entropy — neither of which most teams do today.
Q: Should I stop using node-ipc entirely? A: That’s a judgment call, but the package has now been weaponized twice — once by its own maintainer in 2022, once by an account takeover in 2025. If a viable alternative exists for your use case, the case for migrating is strong. At minimum, vendor it and freeze the version with integrity hashes you’ve audited.
Key Takeaways
- Audit lockfiles for
node-ipc@9.1.6,9.2.3, and12.0.1immediately, then rotate any credential reachable from a build host that may have installed them. - Treat DNS as a first-class exfiltration channel — add per-host TXT query volume monitoring before the next attacker reuses this playbook on a different package.
- Inactive maintainer accounts are the soft underbelly of every package registry; expect more 2025-era npm compromises to originate from dormant accounts rather than zero-days.
- Cloud and CI/CD secrets are now the primary loot of supply chain attacks — design auth so a stolen token expires in minutes, not months.
- The era of trusting transitive dependencies based on download counts is over; “690,000 weekly downloads” did not stop
node-ipcfrom being weaponized twice in three years.