Embedded Malicious Code Affecting node-ipc package, versions =9.1.6=9.2.3=12.0.1

node-ipc is an A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning.

Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an advanced credential-stealing infostealer. A malicious actor utilized a compromised, dormant maintainer account to publish tampered versions of the node-ipc package to npm. The malicious payload is strictly embedded within the CommonJS bundle (node-ipc.cjs). It executes silently upon module load via require('node-ipc') without relying on pre/post-install scripts.

Note: Projects importing the package via ESM (import ipc from 'node-ipc') are unaffected, as the ESM entry point was left completely untouched.

According to security researchers, the obfuscated payload is designed to silently execute a detached background child process that enumerates the system and harvests over 90 categories of sensitive data. The targeted secrets include cloud provider tokens (AWS, Azure, GCP), SSH keys, CI/CD secrets, Kubernetes tokens, environment variables, and AI tooling configs (like Claude). The malware compresses the stolen data into a gzip archive and covertly exfiltrates it via DNS TXT queries to an attacker-controlled domain (sh.azurestaticprovider.net), masquerading as legitimate Azure traffic to evade standard HTTP egress monitoring.

Observations:

1. The malware uses DNS exfiltration to bypass standard network controls and leaves the application running normally to avoid arousing suspicion.
2. Version 12.0.1 includes a precision targeting gate that restricts payload execution to a specific, pre-computed SHA-256 hash of the primary module path, whereas versions 9.1.6 and 9.2.3 execute unconditionally.

• Socket Blog
• StepSecurity Blog