Node-ipc compromised: Credential stealer targets package with 500k+ weekly downloads

Three malicious versions of node-ipc were published today, each with an aggressive credential harvester targeting cloud providers, SSH keys, Kubernetes configs, and AI API keys. Chainguard customers were not affected. Here's what happened and what you need to know.

Today, three malicious versions of node-ipc were published to npm: 12.0.1, 9.2.3, and 9.1.6. Node-ipc is a foundational package for inter-process communication in Node.js applications, with over half a million weekly downloads. The malware fires on every require('node-ipc'), silently harvesting credentials and exfiltrating them to an attacker-controlled server before application logic executes.

This attack is notable for its targeting breadth. The payload sweeps over 90 different credential file patterns, including cloud provider credentials (AWS, Azure, GCP), SSH keys, Kubernetes configurations, GitHub CLI tokens, Terraform state, and Claude AI API keys. Attackers in this case are going after the keys to your AI tools.

What the malware does

The malicious code was injected into the CommonJS entry point (node-ipc.cjs). The ESM entry point (node-ipc.js) is clean, indicating the attackers specifically targeted CommonJS users, where require() remains the dominant import pattern.

When a developer or CI system runs import 'node-ipc' or require('node-ipc'), the payload executes. It performs three operations in rapid succession:

1. Credential harvesting: The malware reads over 90 file patterns using fs.readFileSync to target credentials from cloud providers, container orchestration systems, CI/CD pipelines, version control platforms, and AI APIs.

2. Environment variable exfiltration: Every environment variable in the running process gets packaged alongside the file contents.

3. Stealthy exfiltration: The stolen data is compressed into a gzip TAR and exfiltrated via two channels: DNS TXT queries to Google DNS (8.8.8.8) to bypass local DNS controls, and HTTPS POST to a typosquatted domain (sh.azurestaticprovider.net, mimicking Microsoft's legitimate azurestaticapps.net).

The use of Google DNS to bypass local DNS monitoring, combined with a legitimate-looking C2 domain, demonstrates careful operational security on the attackers' part.

Indicators of compromise

If you've installed node-ipc@12.0.1, node-ipc@9.2.3, or node-ipc@9.1.6, treat your environment as compromised. The full list of IoCs:

Malicious packages:

• node-ipc@12.0.1

• node-ipc@9.2.3

• node-ipc@9.1.6

Network indicators:

• C2 domain: sh.azurestaticprovider.net

• DNS resolver override: 8.8.8.8 (used to bypass local DNS controls)

File hashes:

• SHA-256 (node-ipc-12.0.1.tgz): 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981

• SHA-256 (compromised node-ipc.cjs): 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144

• SHA-256 (injected payload block): b2001dc4e13d0244f96e70258346700109907b90e1d0b09522778829dcd5e4cf

Other artifacts:

• Hardcoded auth key in payload: qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi

• Module ID in exfil requests: bt.node.js

Immediate steps if you're affected

If you installed any of the malicious versions:

1. Downgrade immediately to node-ipc@12.0.0, node-ipc@9.2.2, or node-ipc@9.1.5. Verify your current version with: node -e "console.log(require('node-ipc/package.json').version)"

2. Rotate all credentials that may have been exposed: AWS, Azure, GCP, SSH keys, kubeconfig, GitHub tokens, npm tokens, Terraform state, and any AI API keys (Claude, OpenAI, etc.) accessible in the compromised environment.

3. Block egress to sh.azurestaticprovider.net at your network perimeter for CI runners and developer machines.

4. Audit your logs in CloudTrail, Azure Activity Logs, and GCP Audit Logs for any suspicious activity after the compromise window.

Why Chainguard customers were protected

Chainguard customers were not affected by this attack because Chainguard Libraries builds from source, and Chainguard Repository’s upstream fallback with cooldown protected them.

Chainguard Libraries for JavaScript are built from source with full provenance tracking. The malicious versions of node-ipc were pre-packaged tarballs with injected code that had no corresponding source code commits. This is the pattern we see in the majority of malware: attackers publish malicious artifacts directly to npm without touching the source repository. Because Chainguard builds from source, these phantom releases are never built and never served to customers.

For packages outside our catalog, customers were safe using Chainguard Repository’s upstream npm fallback. We added the malicious versions to our blocklist, preventing them from being served through our infrastructure. And, the malicious version exposure was within our configurable cooldown period, further keeping Chainguard customers safe.

Scanners may have detected this attack, but only after the malicious packages had already been published and potentially installed. Chainguard's build-from-source approach blocks malicious packages from entering our catalog, and our rapid response prevents them from being served via the upstream fallback through the Chainguard Repository.

The bigger picture

Node-ipc has a complicated history. In 2022, the package maintainer deliberately sabotaged versions 10.1.1 and 10.1.2 as a protest, wiping files on systems in Russia and Belarus. That incident raised important questions about maintainer trust and supply chain integrity.

The attackers' targeting of AI API keys is worth noting. As organizations adopt AI tools and agent frameworks, those API keys become high-value targets. Compromising a Claude AI key gives attackers access to the context, code, and data you've been feeding through those tools. AI adoption has expanded the attack surface, and attackers are paying attention.

Get in touch with our team to learn more about how Chainguard can help you secure your software supply chain.