node-ipc Was Compromised via a Dormant Maintainer Account. 690,000 Weekly Downloads.
node-ipc Was Compromised via a Dormant Maintainer Account. 690,000 Weekly Downloads.#
Three versions of node-ipc published to npm on May 14 2026 contain a credential-stealing payload. The malicious code executes automatically on import. The attack vector was an external actor compromising the account of an inactive maintainer named atiertant.
Affected versions: 9.1.6, 9.2.3, and 12.0.1.
As of the time of writing, none of the three versions have been unpublished from the npm registry.
What node-ipc is#
node-ipc is a Node.js inter-process communication module supporting Unix, Windows, UDP, TLS, and TCP sockets. It has 690,000 weekly downloads on npm. It is a transitive dependency in a wide range of Node.js projects.
This is not the first time node-ipc has been weaponised. In March 2022 the package maintainer intentionally published versions that deleted files on Russian and Belarus-based systems in protest of the Ukraine war. Despite that documented history the package retains hundreds of thousands of weekly downloads.
How the attack works#
The malicious code hides inside the CommonJS entrypoint (node-ipc.cjs) and executes automatically when any application imports the package. No explicit trigger required.
The payload fingerprints the infected system, collects environment variables and sensitive local files, compresses the stolen data into tar.gz archives, and exfiltrates it through DNS TXT queries to a fake Azure-themed domain (sh.azurestaticprovider.net:443). The compressed data is transmitted to bt.node.js with query prefixes xh, xd, and xf. The archives are deleted after exfiltration to reduce forensic traces.
The DNS exfiltration mechanism is notable. A 500 KB compressed archive generates approximately 29,400 DNS TXT requests. That volume of DNS traffic blends into normal activity and evades HTTP-based C2 detection. Standard network monitoring is unlikely to flag it.
The malware does not establish persistence and does not download secondary payloads. The operation is focused on rapid credential theft and exfiltration, then exit.
Credentials targeted: cloud credentials from AWS, Azure, GCP, OCI, and DigitalOcean; SSH keys and SSH configs; Kubernetes, Docker, Helm, and Terraform credentials; npm, GitHub, GitLab, and Git CLI tokens; .env files and database credentials; shell histories and CI/CD secrets; macOS Keychain files and Linux keyrings; Firefox profile and key database files on macOS; Microsoft Teams local storage.
What Attestd returns#
node-ipc is a monitored package on Attestd. All three compromised versions return supply_chain.compromised: true on the live API. The clean version immediately prior returns supply_chain.compromised: false.
# Compromised version
curl "https://api.attestd.io/v1/check?product=node-ipc&version=9.1.6" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"product": "node-ipc",
"version": "9.1.6",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": true,
"sources": ["osv"],
"malware_type": "malware",
"description": "Malicious code in node-ipc (npm)",
"advisory_url": "https://safedep.io/malicious-node-ipc-npm-compromise/",
"compromised_at": "2026-05-14T16:53:17Z",
"removed_at": null
}
}
# Clean version
curl "https://api.attestd.io/v1/check?product=node-ipc&version=9.1.5" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"product": "node-ipc",
"version": "9.1.5",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": []
}
}
Three things worth noting about these responses.
risk_state: "none" on all versions including the compromised ones. No CVE exists for this attack. A tool that checks CVE severity alone would return clean for all three affected versions. The supply chain signal is the only detector.
removed_at: null on the compromised versions means they have not been unpublished from the npm registry as of the time of testing. If you have node-ipc in a lockfile, check the pinned version before assuming you are safe.
sources: ["osv"] means the compromise was detected via the OSV MAL- advisory pipeline, not manual curation. The advisory was ingested automatically.
The dormant account vector#
The TanStack attack three days ago used CI/CD pipeline hijacking via OIDC token theft. This attack used a different vector: account takeover of a maintainer account that had been inactive long enough to have reduced security posture.
Dormant maintainer accounts are a persistent structural risk in open-source ecosystems. A package with 690,000 weekly downloads that has not been actively maintained has a large attack surface and a reduced chance of the maintainer noticing anomalous activity on their account.
This is the third distinct attack vector Attestd has covered in the last 30 days: CI/CD pipeline hijacking (TanStack), inactive maintainer account takeover (node-ipc), and intentional maintainer sabotage (the 2022 node-ipc incident that preceded this one). The detection approach is the same for all three. A registry of known-compromised version tuples does not care how the compromise happened.
If you use node-ipc#
Remove node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 immediately. Check your lockfile -- if any of these versions are pinned as a transitive dependency, they need to be resolved.
Rotate immediately: cloud credentials, SSH keys, npm tokens, GitHub and GitLab tokens, any credentials in .env files, and any CI/CD secrets accessible from the affected environment.
Inspect DNS logs for high-volume TXT record queries to unfamiliar domains, particularly queries with xh, xd, or xf prefixes. That is the exfiltration pattern.
Sources: Socket, Ox Security, Upwind
Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.