Cybersecurity researchers are sounding the alarm about what has been described as “malicious activity” in newly published versions of node-ipc.
According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious –
“Early analysis indicates that [email protected], [email protected], and [email protected] contain obfuscated stealer/backdoor behavior,” Socket said.
“The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic.”
StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server.
This includes 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history, and more. The harvested data is then compressed into a GZIP archive and transmitted to the “sh.azurestaticprovider[.]net” domain.
The three versions were published by an account named “atiertant,” which has no connection to the package’s original author, “riaevangelist.” Although “atiertant” appears in the maintainer list, the account has no prior publish history in connection with the node-ipc package. The previous update to the package was in August 2024.
The fact that the dormant, high-download package was compromised after a 21-month gap indicates that either the “atiertant” credentials were newly compromised, or the account was specifically added as a maintainer to publish the malicious versions.
What’s notable about the activity is that it does not rely on any npm lifecycle hooks such as preinstall, install, or postinstall scripts, instead appending the malicious payload as an Immediately Invoked Function Expression (IIFE) to the end of “node-ipc.cjs.” This, in turn, causes the malware to fire unconditionally on every require(‘node-ipc’).
The oddity doesn’t end there, for the payload performs a SHA-256 fingerprint check and compares it against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code, before proceeding with system enumeration and comprehensive credential harvesting.
“This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value,” StepSecurity researcher Sai Likhith said. “The attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing. The 9.x versions do not have this gate and will execute the full payload on any system that loads them.”
The malware also incorporates a second exfiltration channel besides issuing an HTTPS…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
