Cybersecurity experts are warning of „malicious activity“ discovered in recently released versions of the node-ipc package. According to Socket and StepSecurity, three specific npm versions—node-ipc@9.1.23, node-ipc@9.2.3, and node-ipc@12.0.1—have been confirmed as malicious. Early analysis shows that node-ipc@9.1. 6, node-ipc version 9.2. 3, and node-ipc@12.0. „According to Socket, 103 of them exhibit obfuscated stealer or backdoor behavior. The malware fingerprints the host environment, enumerates and reads local files, compresses and chunks the gathered data, wraps the payload in a cryptographic envelope, and tries to exfiltrate it to a network endpoint chosen through DNS or address-based logic.“ StepSecurity reported that the heavily obfuscated payload activates when the package is imported at runtime. It then tries to steal a wide range of developer and cloud credentials and exfiltrate them to an external command-and-control (C2) server. These include 90 categories of secrets such as AWS, Google Cloud, and Azure credentials, SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI and Kiro IDE settings, Terraform state files, database passwords, shell history, and many others. The collected data is compressed into a GZIP archive and sent to „sh.azurestaticprovider[.] The three versions were published under the „.net“ domain by an account called „atiertant,“ which has no affiliation with the package’s original author, „riaevangelist.“
The Hacker News