Node‑ipc Hit Again: Inside the Second Wave of npm Supply‑Chain Attacks

Event Overview

On May 14, 2026, multiple security groups—including Socket Security, StepSecurity, and the Datadog Security Lab—identified malicious code in three npm releases of node‑ipc (versions 9.1.6, 9.2.3, and 12.0.1). The package averages about 822,000 weekly downloads, giving the attack a very broad reach.

Attack Pattern

The intrusion follows the same “Lily Pad” supply‑chain model seen in the 2023 incident. Instead of creating a look‑alike package, the attacker reclaimed a domain that previously belonged to the maintainer, used the password‑reset flow to seize the npm account, and then published the malicious versions as the legitimate maintainer.

Step‑by‑Step Reconstruction

Account Hijack: The attacker registered a domain that had once been used by the maintainer but was now abandoned, then reset the npm account password via the domain’s email address.

Version Publication: Acting as the legitimate maintainer, the attacker uploaded the three compromised releases to the npm registry.

Payload Injection: Each node‑ipc.cjs file contains the normal esbuild output followed by roughly 80 KB of heavily obfuscated malicious code. StepSecurity reports that all three versions carry the exact same credential‑stealing payload.

Silent Execution: On non‑Windows platforms the payload behaves conservatively; on Windows it creates a temporary directory /tmp/nt-<pid>/ and installs a persistence mechanism.

Malicious Payload Analysis

The injected code communicates with a command‑and‑control server via DNS TXT queries. The C2 domain bt.node.js (a redirect to sh.azurestaticprovider.net) resolves to 37.16.75.69. Data exfiltration uses DNS tunneling, sending credentials in TXT records to bypass firewalls and logging.

Local Keys: SSH private keys, PGP/GPG keys.

Cloud Credentials: AWS, Azure, GCP keys and configuration files.

Environment Variables: .env files and CI/CD secrets.

AI Tool Configs: Claude API keys, OpenAI tokens.

Development Tools: Git credentials, npm/GitHub tokens.

Investigation and Mitigation Steps

Version Audit: Search package‑lock.json or yarn.lock for node‑[email protected], 9.2.3, or 12.0.1.

DNS Log Review: Look for TXT query records to bt.node.js in server DNS logs.

Immediate Upgrade: Move to node‑[email protected], 12.0.2, or any newer safe version.

Credential Rotation: Isolate affected build environments and rotate all potentially leaked secrets.

Impact Assessment

The compromise is assessed with high confidence. node‑ipc is a widely used inter‑process communication library; many well‑known open‑source projects depend on it, and the number of potentially affected systems worldwide is estimated in the hundreds of thousands.