Cybersecurity experts are warning of „malicious activity“ found in recently released versions of the node-ipc package. According to Socket and StepSecurity, three versions of the npm package — node-ipc@9.1.23, node-ipc@9.2.3, and node-ipc@10.1.1 — have been identified as malicious. Early analysis shows that node-ipc@9.1. 6, node-ipc version 9.2. 3, and node-ipc version 12.0. Socket stated that 103 includes obscured stealer and backdoor functionality. „The malware seems to fingerprint the host environment, enumerate and read local files, compress and segment the gathered data, encrypt the payload, and try to exfiltrate it via a network endpoint chosen through DNS or address-based logic.“ StepSecurity reported that the heavily obfuscated payload activates upon runtime package importation. It then tries to steal a wide array of developer and cloud credentials, exfiltrating them to an external command-and-control (C2) server. The data includes credentials across 90 categories, such as Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configurations, Claude AI and Kiro IDE settings, Terraform state files, database passwords, shell history, and many others. The collected data is then compressed into a GZIP archive and sent to „sh.azurestaticprovider[.] ]net“ domain.. The three versions were published by an account named „atiertant,“ which has no connection to the package’s original author, „riaevangelist.
The Hacker News