Stealer backdoor in node-ipc (9.1.6, 9.2.3, 12.0.1)

Colleagues, please note a cybersecurity incident: malicious releases were published in the npm package node-ipc.
- Socket and StepSecurity: versions 9.1.6, 9.2.3 and 12.0.1 contain an obfuscated stealer/backdoor embedded as an IIFE that executes on require.
- Exfiltrates secrets (AWS, GCP, Azure, SSH, Kubernetes, GitHub, Terraform, etc.), archives them and uploads to sh.azurestaticprovider[.]net; a DNS‑TXT channel is also used.
- Published by account “atiertant”; 12.0.1 activates by SHA‑256 of target module, 9.x runs universally.
Why it matters: compromise of a popular package endangers the supply chain.
Actions: remove vulnerable versions, move to 9.2.1/12.0.0, rotate credentials, audit releases and CI, block egress to C2.
How do you scan projects for such threats?
#cybersecurity #supplychain #npm #devsecops


Latest comments
No comments yet.