Supply Chain Attack Compromises Popular node‑ipc npm Package, Stealing Cloud and DevOps Credentials via DNS
What Happened — Hackers injected credential‑stealing malware into three newly published versions of the widely used node‑ipc npm package, turning it into a supply‑chain weapon that harvests cloud, SSH, and CI/CD secrets. The malicious code executes automatically on load, compresses the stolen data, and exfiltrates it via DNS TXT queries that blend into normal DNS traffic.
Why It Matters for TPRM —
- A single compromised open‑source component can expose thousands of downstream applications and the underlying cloud environments they manage.
- DNS‑based exfiltration evades many traditional network‑security controls, increasing detection difficulty.
- Stolen credentials enable lateral movement, privilege escalation, and further attacks on critical infrastructure.
Who Is Affected — Technology and SaaS vendors, cloud‑native services, DevOps tooling providers, and any organization that incorporates node‑ipc into production workloads (estimated 690 k weekly downloads).
Recommended Actions —
- Inventory all assets that depend on
node‑ipcand verify the version in use. - Immediately block or downgrade to a known clean version (pre‑9.1.6).
- Rotate all cloud, SSH, and CI/CD tokens on affected hosts.
- Deploy DNS monitoring for anomalous TXT query patterns and block the malicious domains.
- Strengthen open‑source supply‑chain controls: enforce signed package verification, use SBOMs, and apply automated dependency scanning.
Technical Notes — The malware resides in the CommonJS entrypoint (node‑ipc.cjs), is heavily obfuscated, and collects environment variables, .env files, keyrings, token files, shell histories, and local keychain data. It compresses the data into tar.gz archives, then exfiltrates via DNS TXT queries to a fake Azure‑styled domain (sh.azurestaticprovider.net) which forwards to bt.node.js. No persistence mechanisms or secondary payloads were observed. Source: BleepingComputer