Socket and StepSecurity researchers discovered stealer backdoors embedded in three versions of node-ipc, a widely used npm package that provides inter-process communication for JavaScript applications. Versions 9.1.6, 9.2.3, and 12.0.1 contain malicious code that harvests credentials across 90 categories — including cloud provider keys, SSH keys, and developer tokens — and exfiltrates them to attacker-controlled infrastructure. The malicious versions were published by a previously unknown account with no prior connection to the package’s original maintainer, following a 21-month gap in updates.
Unknown Account “atiertant” Published Malicious Versions After 21-Month Dormancy
The three malicious versions of node-ipc were uploaded by an account named “atiertant” — a publisher with no documented history on npm and no prior association with the package’s original maintainer, “riaevangelist.” The 21-month dormancy period before the malicious uploads is consistent with an account takeover or the unauthorized addition of a new publisher account to the package, patterns used in previous npm supply chain attacks to establish a trusted publication path before introducing malicious code.
Version 12.0.1 includes a SHA-256 fingerprint check that targets specific project types, suggesting the attacker tailored at least one of the backdoor versions to focus on particular development environments. Researchers found no equivalent targeting logic in versions 9.1.6 and 9.2.3, which appear to harvest credentials indiscriminately based on file pattern matching rather than project-type detection.
Ninety Credential Categories Targeted: AWS, Azure, Google Cloud, SSH, and Kubernetes
The backdoor code fingerprints the host environment, enumerates local files matching targeted credential patterns, compresses and chunks the collected data, and exfiltrates it to attacker infrastructure. The 90 targeted credential categories span the breadth of cloud and developer tooling in common use:
AWS access keys and configuration files, Google Cloud service account credentials, Microsoft Azure authentication tokens, SSH private keys, Kubernetes service account tokens, GitHub configuration files and personal access tokens, Claude AI settings, Terraform state files, database connection strings and passwords, and shell history files are among the documented categories. The combination of cloud provider credentials, container orchestration tokens, and version control system access represents the full suite of credentials needed to pivot from a developer workstation into production cloud infrastructure.
Identifying Safe node-ipc Versions and Removing the Malicious Backdoor Builds
At the time of reporting, the malicious versions remain published on the npm registry. Known-safe versions are 9.2.1 and 12.0.0. Developers and organizations using node-ipc should audit their package-lock.json and yarn.lock files for versions 9.1.6, 9.2.3, or 12.0.1 and remove them immediately. Running npm audit against these specific version identifiers is a starting point, though it depends on the npm advisory database reflecting the compromise.
The broader supply chain risk extends to any project that directly or transitively depends on the affected versions. Because node-ipc is used as a dependency in other popular packages, developers should audit not just direct dependencies but the full dependency tree for any locked reference to the three malicious versions.
Assessing Credential Exposure After Running Backdoored node-ipc Versions
Any environment that executed one of the three malicious node-ipc versions should be treated as potentially compromised. The 90 targeted credential categories are broad enough that most JavaScript development environments will have at least some matching secrets on disk — shell history files and AWS credential files are nearly universal in developer workstations, regardless of project type.
Organizations should rotate all cloud provider credentials, SSH keys, GitHub tokens, and Kubernetes service account tokens that were present on machines where the malicious versions ran. Database passwords and Terraform state files should be reviewed for unauthorized access. API keys embedded in .env files should be revoked and reissued. The exfiltration mechanism used by the backdoor compresses and chunks data before sending, which means credentials may have been transmitted even if the machine had no direct internet connectivity to the attacker infrastructure during a brief window — security teams should check outbound connection logs for anomalous data transfers matching the exfiltration timing.
