Active Supply Chain Attack: Malicious node-ipc Versions Published to npm
StepSecurity identified multiple malicious releases of the popular node-ipc npm package containing an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets. The attack is ongoing and under active analysis.
- Disclosed
- Last updated
- Blast radius
- Multiple npm package consumers; potential exposure of cloud credentials, SSH keys, and CI/CD secrets
- Ecosystems
- Attack vectors
- Affected entities
- node-ipcThree malicious versions containing obfuscated payload for credential theft
StepSecurity has detected an active supply chain attack targeting the node-ipc npm package. Multiple versions have been compromised with malicious code designed to exfiltrate sensitive credentials and secrets from affected environments.\n\nThe malicious payload is obfuscated and specifically targets cloud credentials, SSH keys, and CI/CD secrets—resources critical to software development and deployment infrastructure. Three versions of the package are known to be compromised at the time of disclosure.\n\nThe attack remains active, and the source indicates ongoing investigation with the advisory expected to be updated as more information becomes available.
Indicators of compromise
- Packages
- node-ipc
Remediation
- Immediately audit npm package dependencies for node-ipc presence and version
- Remove or update to a known-safe version of node-ipc if installed
- Rotate all cloud credentials, SSH keys, and CI/CD secrets that may have been exposed
- Review logs for suspicious access patterns during the compromise window
- Monitor for unauthorized access to cloud resources and repositories
- Implement package pinning and verification practices to prevent future compromise
Sources
Cite this entry
"Active Supply Chain Attack: Malicious node-ipc Versions Published to npm." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed May 19, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/active-supply-chain-attack-malicious-node-ipc-versions-published-to-npm-kldfl8
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package