EXECUTIVE SUMMARY
A threat actor has launched a supply chain attack targeting the node-ipc npm package, a popular tool for inter-process communication in Node.js applications. The malicious package, which has been published under versions 9.1.6, 9.2.3, and 12.0.1, contains an obfuscated stealer/backdoor that collects developer credentials, configuration files, and other sensitive information from compromised machines and CI environments. The attacker's goal is to exfiltrate this sensitive data through a DNS TXT query exfiltration mechanism, using a deliberate lookalike of Microsoft's legitimate Azure Static Web Apps domain as a bootstrap resolver.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A threat actor has launched a supply chain attack targeting the node-ipc npm package, a popular tool for inter-process communication in Node.js applications. The malicious package, which has been published under versions 9.1.6, 9.2.3, and 12.0.1, contains an obfuscated stealer/backdoor that collects developer credentials, configuration files, and other sensitive information from compromised machines and CI environments. The attacker's goal is to exfiltrate this sensitive data through a DNS TXT query exfiltration mechanism, using a deliberate lookalike of Microsoft's legitimate Azure Static Web Apps domain as a bootstrap resolver.[emaillocker id="1283"]
The malware appears to execute automatically through the CommonJS entrypoint, using an environment variable named __ntw to distinguish the child execution path. The payload computes a special hash gate from the basename of the current module filename, which is used to determine whether to replace the module exports with the runner function. The decoded target lists for credential and configuration theft focus on developer and infrastructure secrets, including AWS, Azure, GCP, OCI, and other cloud provider credentials, as well as SSH keys, Kubernetes credentials, and other sensitive information.
The affected node-ipc versions should be removed and replaced with a known-clean version, and package-lock, yarn.lock, pnpm-lock, build caches, and local npm cache entries should be checked for the malicious node-ipc.cjs hash. Exposed environment variables and local developer secrets should be treated as compromised if the CommonJS package was loaded. SSH keys, npm tokens, cloud provider keys, GitHub and GitLab tokens, Kubernetes credentials, Docker registry credentials, Terraform credentials, and database credentials present on affected hosts should be rotated.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1083 | File and Directory Discovery | — |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
| Initial Access | T1195 | Supply Chain Compromise | — |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]