StepSecurity (@step_security) “🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (” — TopicDigg

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected: