Description
Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc.
According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious -
* [email protected]
* [email protected]
* [email protected]
"Early analysis indicates that [email protected], [email protected], and [email protected] contain obfuscated stealer/backdoor behavior," Socket said.
"The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic."
StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control server.
This is not the first time the npm package has incorporated malicious functionality. In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia's military invasion of Ukraine.
Two subsequent versions – 11.0.0 and 11.1.0 – included the "peacenotwar" dependency, which was also published by the same maintainer as a "non-violent protest against Russia's aggression."
"The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt," Socket said.
_(This is a developing story. Please check back for more details.)_
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc.
According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious -
* [email protected]
* [email protected]
* [email protected]
"Early analysis indicates that [email protected], [email protected], and [email protected] contain obfuscated stealer/backdoor behavior," Socket said.
"The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic."
StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control server.
This is not the first time the npm package has incorporated malicious functionality. In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia's military invasion of Ukraine.
Two subsequent versions – 11.0.0 and 11.1.0 – included the "peacenotwar" dependency, which was also published by the same maintainer as a "non-violent protest against Russia's aggression."
"The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt," Socket said.
_(This is a developing story. Please check back for more details.)_
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Basic Information
ID
THN:7E008AC2F41F8784721A7FC21B43DBC0
Published
May 14, 2026 at 17:22