On May 14, 2026, the MistEye threat intelligence monitoring system identified three anomalous releases of the Node.js IPC toolkit, node-ipc, on npm (Node Package Manager). The affected versions, 9.1.6, 9.2.3, and 12.0.1, contained malicious code designed for credential theft and data exfiltration.
What Happened
The compromised versions of node-ipc, which has approximately 530,066 weekly downloads and is used by over 400 open-source projects, included about 80KB of obfuscated code. This code was capable of collecting sensitive information such as AWS cloud credentials, SSH private keys, and system environment variables. The malicious code was injected into the CommonJS entry file, node-ipc.cjs, while the ECMAScript Modules entry remained unaffected.
The attack leveraged the legitimate release pipeline of the node-ipc package, allowing the malicious versions to be distributed without raising immediate alarms. The new maintainer account, atiertant, which pushed these versions, had no prior release history, raising suspicions about the account's legitimacy.
The On-Chain and Web Evidence
Upon analysis, the malicious logic was found to be identical across the three versions, indicating a coordinated attack. The obfuscated code employed techniques such as control-flow flattening and string-table indexing to obscure its true purpose. The malware was designed to activate upon loading the package, making it particularly stealthy.
Data exfiltration was conducted through a DNS tunneling strategy, where collected data was fragmented and sent via DNS queries to attacker-controlled servers. This method enhances stealth, as it avoids traditional HTTP/HTTPS channels.
Why It Matters and Recommended Actions
This incident highlights the vulnerabilities inherent in the npm ecosystem, particularly regarding supply chain attacks. The use of a legitimate package to distribute malicious code underscores the need for vigilance among developers and organizations relying on open-source software.
Organizations should take immediate action by checking their dependency trees for the affected versions of node-ipc. If found, they should downgrade or replace these versions with trusted alternatives. Additionally, monitoring for abnormal DNS requests related to the identified malicious domains and IP addresses is crucial.
Implementing entry-point integrity verification in the Node.js supply chain deployment process can help prevent similar incidents in the future. This includes checking for tampering in both node-ipc.cjs and node-ipc.js files.
Automated TrustSniffer Intelligence — grounded, attributed analysis of public on-chain and web data.
Run any crypto address or domain through the TrustSniffer risk engine.
