Breaking: Malicious Versions of Node-IPC npm Package Found Stealing Developer Secrets

Cybersecurity researchers have uncovered a serious supply chain attack targeting the popular Node.js package node-ipc. Three recently published versions of the npm package—node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1—have been confirmed as malicious, containing a backdoor that steals sensitive developer credentials and secrets.

According to a joint analysis by security firms Socket and StepSecurity, the tampered versions exfiltrate environment variables, SSH keys, and other configuration data from compromised systems. The malicious code triggered immediate alerts within their detection systems, prompting an urgent advisory for all developers using node-ipc.

"This is not a theoretical risk—these packages are live on npm and actively harvesting secrets," said a spokesperson from Socket. "We strongly advise any developer who installed these versions to rotate all credentials immediately."

Background

Node-IPC is a widely-used inter-process communication library for Node.js applications, enabling data exchange between processes on the same machine. Its popularity made it an attractive target for attackers aiming to compromise the software supply chain.

The malicious versions were uploaded to the npm registry without visible signs of tampering in the repository or changelogs. Researchers note that this stealthy approach is consistent with previous supply chain attacks, such as those targeting event-stream and ua-parser-js.

"The injection point appears to be a pre-publish hook that modified the final npm package without altering the source code on GitHub," explained a researcher from StepSecurity. "This made detection difficult for standard code reviews."

What This Means

Developers who have used any of the three specific versions must assume their systems are compromised. The stolen data—often including API keys, database passwords, and cloud provider tokens—can be used for lateral movement within networks or to launch further attacks.

Organizations should immediately audit their node_modules directories and check package-lock.json files for the affected versions. Both Socket and StepSecurity have released detection scripts and guidance for remediation.

"This incident underscores the fragility of the open source ecosystem," said the Socket spokesperson. "The industry must adopt tooling that automatically verifies package integrity at installation time, not just during manual audits."

What to Do Now

• Remove any instance of node-ipc@9.1.6, 9.2.3, or 12.0.1 from your projects.
• Rotate all credentials that may have been exposed on systems where these packages were installed.
• Review network logs for unexpected outbound connections to unknown IPs, a common indicator of data exfiltration.
• Implement package integrity scanning tools like Socket or npm audit to catch future threats.

The npm team has been notified and is expected to unpublish the malicious versions shortly. However, cached copies or forks may still pose risks for days to come.

This is a developing story. Check back for updates from Socket, StepSecurity, and the npm security team.