node-ipc Supply Chain Attack: Malicious npm Versions Steal AWS Keys, GitHub Tokens via DNS Exfiltration

Three versions of node-ipc — a Node.js package with 822,000 weekly downloads — were published to npm on May 14, 2026 containing a credential-stealing backdoor. The malicious versions (9.1.6, 9.2.3, and 12.0.1) harvested over 90 categories of secrets and exfiltrated them via DNS TXT queries, a technique chosen specifically to evade network-layer security monitoring. The packages remained live for approximately two hours before removal.

The attack succeeded because a dormant maintainer account was hijacked after an attacker re-registered an expired email domain associated with that account. No vulnerability in npm’s infrastructure was exploited — only npm’s standard account recovery mechanism.

node-ipc is a transitive dependency for several high-visibility packages. Many projects pulled the malicious versions without any direct reference to node-ipc in their own package.json. If you ran npm install or updated dependencies on May 14, assume compromise.

What the Backdoor Stole

• Cloud credentials: AWS IAM keys and session tokens, Azure service principal credentials, GCP service account JSON
• Source control tokens: GitHub personal access tokens, GitLab tokens, Bitbucket app passwords
• Infrastructure keys: SSH private keys, Kubernetes ~/.kube/config files, Terraform state and variable files
• Local tooling: Claude AI API keys, Kiro IDE session tokens, JetBrains Hub credentials

The DNS TXT exfiltration technique is the critical detail. By encoding credentials as DNS lookups rather than direct HTTP POST requests, the malware bypasses most egress filtering and SIEM rules watching for outbound data to unknown IP ranges. Detection requires DNS query logging — something many developer workstations and CI environments don’t have enabled by default.

Immediate Actions

1. Check your lock files: Run npm ls node-ipc to determine whether affected versions appear in your dependency tree.
2. Rotate everything: If any of the three versions appeared in your environment, assume all credentials on that machine are burned. Rotate AWS keys, revoke GitHub tokens, regenerate SSH keypairs, invalidate Kubernetes service accounts.
3. Audit CI/CD: Any runner that built your project during the May 14 window should have its secrets rotated and service connections re-authorized.
4. Pin clean versions: Safe versions are 9.1.5 (previous stable) or 9.2.2. Pin explicitly until a verified clean release ships at 12.0.2+.

This Is the Second Time

node-ipc was previously at the center of a 2022 protest incident where its maintainer intentionally corrupted outputs for Russian and Belarusian IP addresses. That incident demonstrated the package’s outsized blast radius. This is now the second time node-ipc’s supply chain has been weaponized.

The root problem is structural: npm’s account recovery model allows dormant accounts to be hijacked via expired email domains with no additional identity verification. High-download packages with inactive maintainers are a permanent attack surface. Until npm introduces hardware key requirements or account inactivity freeze policies, this class of attack will keep succeeding.

Consider whether node-ipc remains an acceptable transitive dependency for your projects. In most cases, its inter-process communication functionality can be replaced with Node’s built-in worker_threads or a smaller, actively maintained package.