HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Credential‑Stealer Injected into Popular node‑ipc npm Package Triggers Wide‑Scale Supply‑Chain Risk

The `node‑ipc` npm module was compromised with a credential‑stealing post‑install script, exposing CI/CD tokens and cloud API keys for any project that depends on it. TPRM teams must verify SBOMs, replace the package, and rotate affected secrets.

LiveThreat™ Intelligence · 📅 May 24, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Popular node‑ipc npm Package Infected with Credential Stealer – Supply‑Chain Attack Threatens Thousands of JavaScript Projects

What Happened — The widely‑used node‑ipc npm module was compromised and now delivers a credential‑stealing payload to any project that installs it. Attackers injected malicious code into the package’s latest release, harvesting CI/CD tokens, SSH keys, and cloud API credentials from developers’ environments.

Why It Matters for TPRM

  • Third‑party libraries are a common attack surface; a single compromised component can cascade across multiple downstream vendors.
  • Stolen credentials enable lateral movement into cloud workloads, SaaS services, and on‑premise infrastructure owned by your suppliers.
  • The incident highlights the need for continuous SBOM validation and automated dependency scanning.

Who Is Affected — Technology / SaaS vendors, cloud‑native service providers, development agencies, and any organization that incorporates node‑ipc (or transitive dependencies) into production code.

Recommended Actions

  • Immediately audit your software bill of materials (SBOM) for node‑ipc and related packages.
  • Pull and replace the compromised version; enforce signed package verification where possible.
  • Rotate any credentials that may have been exposed (CI tokens, SSH keys, cloud API secrets).
  • Strengthen supply‑chain controls: enable provenance checks, enforce least‑privilege CI permissions, and adopt runtime monitoring for anomalous credential access.

Technical Notes — The malicious code is delivered via a post‑install script that executes a Node.js child process to read environment variables and configuration files containing credentials, then exfiltrates them to a hard‑coded C2 domain using HTTPS. No CVE has been assigned yet; the attack vector is a third‑party dependency compromise. Source: Security Affairs Malware Newsletter Round 98

📰 Original Source
https://securityaffairs.com/192598/malware/security-affairs-malware-newsletter-round-98.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →