{"slug": "compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration", "title": "Compromised node-ipc on npm: Credential Stealer via DNS Exfiltration", "summary": "Three versions of the widely used npm package node-ipc (9.1.6, 9.2.3, and 12.0.1) were compromised on May 14, 2026, after an attacker took over the co-maintainer account \"atiertant\" and published malicious updates containing an 80KB obfuscated payload. The malware steals over 100 categories of sensitive files including SSH keys, cloud provider credentials, and AI tool configurations, then exfiltrates them as gzipped tar archives via DNS tunneling to the command-and-control server sh[.]azurestaticprovider[.]net. With the package averaging 822,000 weekly downloads and version 12.0.1 tagged as \"latest,\" any unpinned npm install command would pull the credential-stealing code, posing a critical supply chain risk to the Node.js ecosystem.", "body_md": "# Compromised node-ipc on npm: Credential Stealer via DNS Exfiltration\n\n### Table of Contents\n\n## TL;DR\n\nThree versions of `node-ipc`\n\n(9.1.6, 9.2.3, 12.0.1) were published to npm on May 14, 2026 by a compromised maintainer account (`atiertant`\n\n). Each version contains an identical 80KB obfuscated payload appended to `node-ipc.cjs`\n\nthat steals over 100 categories of sensitive files (SSH keys, cloud provider credentials, `.env`\n\nfiles, Kubernetes configs, AI tool configurations) and exfiltrates them as gzipped tar archives via DNS tunneling. The package averages **822,000 weekly downloads**.\n\n**Impact:**\n\n- Steals SSH keys, AWS/Azure/GCP credentials,\n`.npmrc`\n\n,`.env`\n\nfiles, Kubernetes configs, and more (113 targeted paths on Linux, 127 on macOS) - Exfiltrates collected data as HMAC-signed, gzipped tar archives via DNS TXT record queries\n- Forks a detached child process for background execution, surviving the parent process exit\n- Targets AI coding tool configurations (\n`.claude.json`\n\n,`.kiro/settings/mcp.json`\n\n)\n\n**Indicators of Compromise (IoC):**\n\n- Packages:\n\n(SHA-256:[[email protected]](/cdn-cgi/l/email-protection)`449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e`\n\n),\n\n(SHA-256:[[email protected]](/cdn-cgi/l/email-protection)`c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea`\n\n),\n\n(SHA-256:[[email protected]](/cdn-cgi/l/email-protection)`78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981`\n\n) - Injected payload SHA-256:\n`3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7`\n\n- C2 endpoint:\n`sh[.]azurestaticprovider[.]net:443`\n\n- HMAC signing key:\n`qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi`\n\n- Anti-re-execution env var:\n`__ntw=1`\n\n- Temp directory pattern:\n`~/nt-{PID}/`\n\n- Archive filename pattern:\n`{hmac}.tar.gz`\n\n- Publishing account:\n`atiertant`\n\n(\n\n)[[email protected]](/cdn-cgi/l/email-protection)\n\n## Analysis\n\n### Package Overview\n\n[node-ipc](https://github.com/RIAEvangelist/node-ipc) is a widely used Inter-Process Communication library for Node.js, supporting Unix/Windows sockets, TCP, and UDP. The npm registry shows 822,257 downloads in the past week. The package has a notable history: in March 2022, the original maintainer (`riaevangelist`\n\n) deliberately introduced a protestware payload targeting users with Russian and Belarusian IP addresses ([CVE-2022-23812](https://nvd.nist.gov/vuln/detail/CVE-2022-23812)).\n\nThis new compromise is different. On May 14, 2026, three versions appeared within minutes of each other, all published by `atiertant`\n\n, a co-maintainer whose account was likely taken over:\n\nThe clean versions (9.1.5, 12.0.0) were published by the original maintainer `riaevangelist`\n\n. All three malicious versions were published by `atiertant`\n\n, who maintains roughly 20 other packages on npm. The `12.0.1`\n\nversion was tagged as `latest`\n\n, meaning any `npm install node-ipc`\n\nwithout a pinned version pulls the compromised code.\n\n### Entry Point and Payload Injection\n\nThe attacker’s strategy differed across the version lines. For `12.0.1`\n\n, the diff against `12.0.0`\n\nreveals two changes to `package.json`\n\n:\n\nThe `prepare`\n\nscript was removed, and `node-ipc.cjs`\n\nwas replaced with a pre-built bundle containing the payload. No install hooks. The malicious code runs as a side effect when `node-ipc.cjs`\n\nis `require()`\n\n’d.\n\nThe injection point is line 1271 of `node-ipc.cjs`\n\n, immediately after the legitimate module’s `module.exports`\n\nassignment:\n\nThe appended payload is 80,079 bytes of obfuscated JavaScript. All three compromised versions contain byte-identical payloads (SHA-256: `3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7`\n\n).\n\nFor `9.1.6`\n\n, the attacker went further. Version 9.1.5 had no `node-ipc.cjs`\n\nfile at all. The attacker added it, changed `package.json`\n\nto set `\"main\": \"node-ipc.cjs\"`\n\nwith dual ESM/CJS exports, and upgraded the entire package structure to match the 12.x line. This rebuilt bundle carries the same payload.\n\n### Obfuscation and Deobfuscation\n\nThe payload uses a standard JavaScript obfuscator with a rotated string lookup array. A 443-element string array (`_0x3afe`\n\n) is shuffled at load time until a checksum matches `0xb5c88`\n\n. All string literals are accessed through index lookups via `_0x1a49(index)`\n\n, and control flow uses helper objects with indirected function calls.\n\nSensitive strings (the C2 address, HMAC key, and file path lists) use an additional layer: a custom base-16 encoding where hex digits `a`\n\nthrough `f`\n\nare replaced with `G`\n\n, `H`\n\n, `J`\n\n, `K`\n\n, `M`\n\n, `P`\n\n(skipping letters easily confused with digits). The last character serves as a checksum. Nibble order is reversed during decoding (low nibble first).\n\nApplying this to the three encoded constants:\n\n| Encoded | Decoded |\n|---|---|\n`3786M216G757275637471...34343339` | `sh.azurestaticprovider.net:443` |\n`17G58307J43367M487259...54P655966` | `qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi` |\n`2647M2M6P64656M2G637H` | `bt.node.js` |\n\nTwo additional encoded strings (5,141 and 5,601 characters) decode to platform-specific file path lists.\n\n### Targeted Credentials\n\nThe payload selects a target list based on `os.platform()`\n\n. The Linux list contains 113 glob patterns; the macOS (darwin) list contains 127. A sample of targeted paths:\n\n**Cloud provider credentials:**\n\n**SSH and Git credentials:**\n\n**Development environment secrets:**\n\n**Kubernetes and infrastructure:**\n\n**AI coding tool configurations:**\n\n**CI/CD and DevOps:**\n\nThe inclusion of `.claude.json`\n\n, `.claude/mcp.json`\n\n, and `.kiro/settings/mcp.json`\n\nis notable. These are configuration files for AI coding assistants that may contain MCP server credentials and API keys. This suggests the attacker is tracking the adoption of AI development tools and specifically targeting their credential stores.\n\n### Data Collection and Archive Creation\n\nThe malware’s execution flow, reconstructed from the obfuscated switch-case in `_0x541368`\n\n:\n\n- Creates a temporary directory at\n`~/nt-{PID}/`\n\n- Generates random bytes and derives an HMAC signature using the hardcoded key\n- Resolves the system hostname\n- Walks the file path list, expanding globs and reading matched files\n- Packs collected files into a tar archive (manual tar implementation using\n`ustar`\n\nformat headers) - Compresses with\n`zlib.gzipSync()`\n\n- Writes the archive to\n`~/nt-{PID}/{hmac}.tar.gz`\n\nThe archive is then exfiltrated and the temp file deleted.\n\n### DNS Exfiltration\n\nThe payload exfiltrates data through DNS TXT record queries. This technique bypasses most egress firewalls and network monitoring because DNS traffic is rarely inspected at the application layer.\n\nThe exfiltration function (`_0x39bb3b`\n\n) works as follows:\n\n- Splits the gzipped archive into chunks sized for DNS labels\n- Encodes each chunk as base64\n- Builds a JSON metadata header containing\n`machineHex`\n\n,`cloud`\n\n,`archivePath`\n\n,`gzipBytes`\n\n, chunk counts, and`hostLabel`\n\n- HMAC-signs the header and data chunks using the hardcoded key with\n`|p`\n\nand`|t`\n\nsuffixes - Constructs DNS query domains:\n`{chunk}.{sig}.{metadata}.{c2_domain}`\n\n- Sends queries via\n`dns.Resolver`\n\nwith custom DNS servers (`1.1.1.1`\n\n,`8.8.8.8`\n\n) - Sends a final “done” message with the total chunk count\n\nThe C2 domain `sh[.]azurestaticprovider[.]net`\n\nis designed to blend with legitimate Azure Static Web Apps infrastructure at a glance.\n\n### Persistence Mechanism\n\nThe payload uses `child_process.fork()`\n\nto spawn a detached background process:\n\nThe `__ntw`\n\nenvironment variable prevents the forked child from forking again. The detached process continues running after the parent Node.js process exits, giving the malware time to complete file collection and DNS exfiltration even if the importing application shuts down quickly.\n\nA SHA-256 hash comparison (`fdba4191831a13debf9d8c0c940b0301c7b7f01d27f1b1c73ed3ceaa2db4103b`\n\n) validates the module’s file path before forking, likely as an anti-analysis measure to avoid executing in unexpected environments.\n\n### Root Cause: Maintainer Account Takeover\n\nThe `atiertant`\n\naccount has been an npm co-maintainer on `node-ipc`\n\nalongside the original author. The account also maintains ~20 other packages (`node-turn`\n\n, `asynk`\n\n, `offshore`\n\n, etc.). The three malicious versions were published within 56 seconds of each other, across three different major version lines, and tagged to maximize install coverage (`latest`\n\n, `unpublished`\n\n, `legacy-9.1`\n\n).\n\nThis pattern points to credential compromise rather than a rogue maintainer: the simultaneous multi-version publish with identical payloads suggests automated tooling, and the payload itself bears no resemblance to the `atiertant`\n\nmaintainer’s normal publishing activity.\n\n## Conclusion\n\nThis compromise targets one of npm’s most downloaded IPC libraries with a sophisticated credential stealer. The attacker chose DNS tunneling over simpler HTTP exfiltration, used HMAC-signed payloads, implemented custom base-16 encoding to obscure IoCs, and targeted an unusually broad set of credentials including AI tool configurations. The C2 domain mimics Azure infrastructure naming.\n\nIf you installed `node-ipc`\n\nversions 9.1.6, 9.2.3, or 12.0.1, rotate all credentials on the affected machine. Check for the `~/nt-*/`\n\ntemp directory and running detached Node.js processes. Pin to known clean versions (9.1.5, 12.0.0) or audit with `vet`\n\nto flag compromised versions before they reach CI.\n\n- npm\n- oss\n- malware\n- supply-chain\n- node-ipc\n- credential-theft\n- dns-exfiltration\n- account-takeover\n\n### Author\n\n#### SafeDep Team\n\nsafedep.io\n\n### Share\n\n## The Latest from SafeDep blogs\n\nFollow for the latest updates and insights on open source security & engineering\n\n[141 npm Packages Abuse Registry as Adware Hosting](/malicious-npm-terminal3airport-proxy-adware-spam)\n\nnpm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...\n\n[Megalodon: Mass GitHub Repo Backdooring via CI Workflows](/megalodon-mass-github-repo-backdooring-ci-workflows)\n\nOver 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The \"megalodon\" campaign targeted...\n\n[forge-jsxy: 22 Versions of an Actively Developed npm RAT](/malicious-forge-jsxy-npm-rat-evolution)\n\nforge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...\n\n[Polymarket npm Packages Steal Crypto Wallet Keys](/malicious-polymarket-npm-crypto-wallet-drainer)\n\nNine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages...\n\n## Ship Code.\n\n## Not Malware.\n\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration", "canonical_source": "https://safedep.io/malicious-node-ipc-npm-compromise", "published_at": "2026-05-14 16:56:04+00:00", "updated_at": "2026-05-27 08:40:15.501219+00:00", "lang": "en", "topics": ["ai-tools"], "entities": ["node-ipc", "npm", "atiertant", "AWS", "Azure", "GCP", "Kubernetes", "Claude"], "alternates": {"html": "https://wpnews.pro/news/compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration", "markdown": "https://wpnews.pro/news/compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration.md", "text": "https://wpnews.pro/news/compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration.txt", "jsonld": "https://wpnews.pro/news/compromised-node-ipc-on-npm-credential-stealer-via-dns-exfiltration.jsonld"}}