Stealer Backdoor Found in 3 Versions of Node-IPC Targeting Developer Secrets

Cybersecurity researchers are sounding the alarm about what has been described as “malicious activity” in newly published versions of node-ipc.

According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious –

• node-ipc@9.1.6
• node-ipc@9.2.3
• node-ipc@12.0.1

“Preliminary analysis shows that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscating behavior/backdoor,” Socket said.

“The malware appears to fingerprint the host’s environment, enumerate and read local files, compress and aggregate collected data, wrap the payload in a cryptographic envelope, and attempt delivery via a network endpoint designated via DNS/logical address.”

StepSecurity said that obfuscated payments are triggered when a package is needed at runtime, and tries to outsource a broad set of developers and cloud secrets to an external command and control (C2) server.

This includes 90 authentication categories, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI settings, Claude AI and Kiro IDE settings, Terraform status, database passwords, shell history, and more. The collected data is then compressed into a GZIP archive and transferred to “sh.azurestaticprovider[.]net” domain.

These three versions were published by an account called “atiertant,” which is not connected to the original author of the package, “riaevangelist.” Although “atiertant” appears in the list of maintainers, the account has no previous publishing history related to the node-ipc package. The previous revision of the package was in August 2024.

The fact that a dormant, high-download package was compromised after a gap of 21 months indicates that the “atiertant” credentials were recently compromised, or the account was directly added as a guardian for publishing malicious versions.

What’s notable about the function is that it doesn’t rely on any npm lifecycle hooks like preinstall, install, or script postinstall, instead it adds brute force loading as an Immediately Invoked Function Expression (IIFE) to the end of “node-ipc.cjs.” This, in turn, causes the malware to explode unconditionally on all required(‘node-ipc’).

The irony doesn’t end there, because the payload checks the SHA-256 fingerprint and compares it to a hard-coded hash gathered from eight fuzzy table bits embedded in the code, before proceeding with the system’s calculation and harvesting the full authentication.

“This means that 12.0.1 does not work at all on any machine whose core module path is not fast to the target value,” said StepSecurity researcher Sai Likhith. “The attacker knows exactly which project or developer is targeted and pre-computes the hash of the entry point before publishing it. Versions 9.x do not have this gate and will perform a full load on any system they load.”

The malware also includes a second exit channel by issuing an HTTPS POST to a fake Azure domain that contains compressed stolen data. This includes encoding fragments of the archive as a DNS TXT record after bypassing the DNS system resolver with Google Public DNS to bypass local DNS-based security controls.

“It first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to find the C2 IP,” StepSecurity said. “It then redirects the solver directly to the C2 IP for all immersion queries.”

“The Direct-to-C2 DNS sink is a significant anti-detection method. Because filter queries never touch public DNS resolvers, there is no detectable bt.node.js activity in public DNS logs. Organizations that rely solely on DNS logging through corporate resolvers will not see this traffic.”

It’s not the first time an npm package includes malicious functionality. In March 2022, the maintainer of the package deliberately introduced a vulnerability in versions 10.1.1 and 10.1.2 by overwriting files on systems in Russia or Belarus as a form of protest following Russia’s military invasion of Ukraine.

The two subsequent versions – 11.0.0 and 11.1.0 – included the “peacenotwar” dependency, which was republished by the same maintainer as “a non-violent protest against Russian aggression.”

“The latest incident appears to involve a suspicious republishing or reintroduction of malicious code in versions of a known package, rather than a typing attempt,” Socket said.

Users are advised to remove the vulnerable versions of node-ipc and reinstall a known clean version (9.2.1 and 12.0.0), consider compromising and changing credentials and secrets, check the npm publish function for any packages accessible with rotated tokens, and review the job run logs to check if any IAM actions cloud their suspicious logs. information was available during the corrupted window, and block the traffic out of the C2 domain.