Node-ipc is a Node.js module that implements help for native and distant Inter-Course of Communication over varied kinds of socket throughout all main platforms. One use case is in implementing complicated multi-process neural networks in JavaScript, however the module can be used as a dependency for 424 different tasks, and receives virtually 700K weekly downloads.
On Thursday, attackers managed to publish three trojanized variations throughout three totally different branches of the venture: 9.1.6, 9.2.3 and 12.0.1. All new variations contained an 80KB obfuscated credential-stealing payload contained in the node-ipc.cjs file.
The malicious code searches for and steals a variety of credentials for CI/CD instruments, cloud providers and infrastructure, Kubernetes, SSH, and AI coding brokers. The info is exfiltrated by way of DNS TXT queries moderately than HTTP connections.
Since node-ipc is a dependency for tons of of different packages, which in flip could possibly be dependencies for much more packages, this assault may have a big blast radius. Customers ought to instantly scan their techniques to find out if they’ve any of the compromised variations put in, and in the event that they do, deal with the machine and any entry token, atmosphere variable, and API key saved on it as compromised.
