Key Takeaways
- Slowmist flagged three malicious node-ipc versions on May 14, targeting over 822,000 weekly npm downloads.
- The 80KB payload steals 90+ credential categories, including AWS keys and .env files via DNS tunneling.
- Developers must immediately pin to clean node-ipc versions and rotate all potentially exposed secrets.
Developer Secrets at Stake
Blockchain security firm Slowmist flagged the attack via its Misteye threat intelligence system, identifying three rogue releases, namely versions 9.1.6, 9.2.3, and 12.0.1. The node-ipc package, used to enable inter-process communication (IPC) in Node.js environments, is embedded across decentralized application ( dApp) build pipelines, CI/CD systems, and developer tooling throughout the crypto ecosystem.
The malicious releases were identified as versions 9.1.6, 9.2.3, and 12.0.1.The package averages over 822,000 weekly downloads, making the attack surface substantial. Each of the three malicious versions carries an identical 80 KB obfuscated payload appended to the package’s CommonJS bundle. The code fires unconditionally on every require(‘node-ipc’) call, meaning any project that installed or updated to the tainted releases ran the stealer automatically, with no user interaction needed.
What the Malware Steals
The embedded payload targets over 90 categories of developer and cloud credentials, including Amazon Web Services (AWS) tokens, Google Cloud and Microsoft Azure secrets, SSH keys, Kubernetes configurations, Github CLI tokens, and shell history files. Pertinent to the crypto space, the malware targets .env files, which frequently store private keys, RPC node credentials, and exchange API secrets. Stolen data is exfiltrated via DNS tunneling, routing files through Domain Name System queries to evade standard network monitoring tools.
Researchers at Stepsecurity confirmed the attacker never touched node-ipc’s original codebase. Instead, they exploited a dormant maintainer account by re-registering its expired email domain.
The domain atlantis-software.net expired on January 10, 2025, with the attacker re-registering it via Namecheap on May 7, 2026. They then triggered a standard npm password reset, gaining full publish access without the original maintainer’s knowledge.
The malicious versions remained live on the registry for approximately two hours before detection and removal. Any project that ran npm install or auto-updated dependencies during that window should be treated as potentially compromised. Security teams have recommended auditing lock files immediately for versions 9.1.6, 9.2.3, or 12.0.1 of node-ipc and rolling back to the last verified clean release.
Supply chain attacks on the npm ecosystem have become a persistent threat in 2026, with crypto projects serving as high-value targets due to the direct financial access their credentials can provide.
Source: https://news.bitcoin.com/slowmist-node-ipc-supply-chain-attack-npm-2026/
