Popular node‑ipc npm Package Infected with Credential Stealer – Supply‑Chain Attack Threatens Thousands of JavaScript Projects
What Happened — The widely‑used node‑ipc npm module was compromised and now delivers a credential‑stealing payload to any project that installs it. Attackers injected malicious code into the package’s latest release, harvesting CI/CD tokens, SSH keys, and cloud API credentials from developers’ environments.
Why It Matters for TPRM —
- Third‑party libraries are a common attack surface; a single compromised component can cascade across multiple downstream vendors.
- Stolen credentials enable lateral movement into cloud workloads, SaaS services, and on‑premise infrastructure owned by your suppliers.
- The incident highlights the need for continuous SBOM validation and automated dependency scanning.
Who Is Affected — Technology / SaaS vendors, cloud‑native service providers, development agencies, and any organization that incorporates node‑ipc (or transitive dependencies) into production code.
Recommended Actions —
- Immediately audit your software bill of materials (SBOM) for
node‑ipcand related packages. - Pull and replace the compromised version; enforce signed package verification where possible.
- Rotate any credentials that may have been exposed (CI tokens, SSH keys, cloud API secrets).
- Strengthen supply‑chain controls: enable provenance checks, enforce least‑privilege CI permissions, and adopt runtime monitoring for anomalous credential access.
Technical Notes — The malicious code is delivered via a post‑install script that executes a Node.js child process to read environment variables and configuration files containing credentials, then exfiltrates them to a hard‑coded C2 domain using HTTPS. No CVE has been assigned yet; the attack vector is a third‑party dependency compromise. Source: Security Affairs Malware Newsletter Round 98