By ByteBot
On May 14, 2026, three malicious versions of node-ipc—a Node.js inter-process communication library with 822,000 weekly downloads—were simultaneously published to npm carrying a credential stealer that targets 90+ categories of developer secrets. The attack window lasted roughly two hours before the packages were pulled. If your project ran npm install during that window with a loose version constraint on node-ipc, assume every secret on that machine is compromised.
How the node-ipc Attacker Got In Without Hacking npm
The entry point wasn’t a vulnerability in npm’s infrastructure. The attacker simply re-registered atlantis-software.net—an email domain associated with a dormant maintainer account named atiertant—after it expired on May 7, 2026. With that domain under their control, they used npm’s standard password reset workflow to gain publish rights. No breach required.
This is the detail worth sitting with: npm’s own account recovery mechanism was the attack vector. The malicious versions—9.1.6, 9.2.3, and 12.0.1—were published seven days later, on May 14 at ~14:25 UTC. The package had been dormant since August 2024, a 21-month gap that gave the expired domain time to go unnoticed. As Semgrep’s analysis put it, “control of the expired email domain alone was enough to inherit ownership of the maintainer identity.”
Related: Mini Shai-Hulud: TanStack npm Supply Chain Worm Explained
What the npm Credential Stealer Does—and Why It’s Hard to Detect
The payload was injected as an Immediately Invoked Function Expression (IIFE) appended to node-ipc.cjs—the CommonJS bundle—growing the file from 37 KB to 117 KB. Critically, there are no install-time hooks in package.json, so the malware is invisible to tools that scan lifecycle scripts. It executes automatically when any code calls require('node-ipc'). Developers using ESM imports (import) are unaffected; the ESM entry point was untouched.
Once loaded, the stealer harvests over 90 credential categories silently: AWS IAM keys, Azure service principals, GCP credentials, SSH private keys, Kubernetes tokens, GitHub CLI configs, Terraform state, database passwords, shell history, .env files, and even Claude AI and Kiro IDE settings. Exfiltration bypasses corporate network monitoring by using DNS TXT record queries sent directly to the attacker’s IP—not through your configured DNS resolver. According to The Hacker News, those queries won’t appear in proxy logs or standard firewall alerts. A background daemon process also persists after the npm install job completes, continuing exfiltration long after the build finishes.
The Second Supply Chain Attack on This Package in Four Years
Node-ipc has been here before. In 2022, its original author, Brandon Nozaki Miller, embedded “peacenotwar” protestware that checked visitor IPs and—if located in Russia or Belarus—deleted files and replaced them with a heart emoji. That was ideological. This 2026 attack, independently staged by a different actor, is purely financial: harvest credentials, sell or exploit them, leave no obvious trace.
Two supply chain attacks on the same package in four years isn’t bad luck. It’s a signal that the package’s maintainer model is broken and that dormant, high-download packages are an attractive target category. If node-ipc is in your dependency tree—directly or transitively—it warrants scrutiny regardless of this incident.
What You Need to Do Right Now
First, check your lockfiles. The malicious versions are 9.1.6, 9.2.3, and 12.0.1. Safe versions are 9.2.1 and 12.0.0. Run npm install node-ipc@12.0.0, regenerate your lockfile, and clear your npm cache. Check for staging artifacts with ls -la "${TMPDIR}/nt-"* and look for background processes with the __ntw=1 environment marker. Then block egress to sh.azurestaticprovider[.]net.
Then rotate credentials—immediately and in this order, per guidance from BleepingComputer and Snyk:
- AWS IAM keys and session tokens
- SSH private keys (check
authorized_keysacross all servers) - Kubernetes service account tokens
- GitHub personal access tokens and GitHub Actions secrets
- All cloud provider service keys (Azure, GCP, OCI)
- Every
.envfile secret, database connection string, and API key
After rotating, audit your cloud IAM logs and GitHub audit logs for unauthorized activity. If your CI/CD pipeline ran npm install during the May 14-15 window, treat the entire pipeline credential set as compromised and rebuild from scratch. Don’t wait for evidence of exploitation—by the time you find it, the damage is done.
Key Takeaways
- The malicious versions are node-ipc@9.1.6, 9.2.3, and 12.0.1—pin to 9.2.1 or 12.0.0 immediately
- The attacker never hacked npm; they used npm’s password reset after re-registering an expired maintainer email domain
- ESM users (
import) are unaffected; CommonJS (require()) users face full credential exposure - DNS-based exfiltration means standard HTTP monitoring won’t catch this—check DNS logs for TXT query bursts
- Rotate credentials first, investigate second—don’t wait for confirmation of compromise before acting
