Supply-chain compromise in node-ipc npm package: three malicious versions distribute data-stealing backdoor
Three versions of the widely-used node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were found to contain malicious code designed to exfiltrate developer secrets and credentials. This represents a direct compromise of a critical infrastructure dependency affecting Node.js projects globally.
Affected
Three specific versions of node-ipc have been confirmed as containing malicious payloads by Socket and StepSecurity. The affected versions (9.1.6, 9.2.3, and 12.0.1) introduce a backdoor designed to steal sensitive data, particularly developer secrets, API keys, and credentials from systems running the compromised code. Given node-ipc's role as a foundational inter-process communication library, the blast radius is potentially severe: any project with these versions as a direct or transitive dependency could be silently harvesting credentials at build time or runtime.
The technical mechanism involves injecting data exfiltration logic into the package distribution. This is not a zero-day vulnerability in node-ipc's legitimate code, but rather a deliberate compromise of specific releases, suggesting either unauthorised package maintainer access or a coordinated typosquatting or registry manipulation attack. The fact that multiple non-sequential versions are affected indicates either a sustained compromise window or multiple upload incidents.
The impact on defenders is immediate and actionable. Node.js projects must audit their dependency trees for node-ipc versions 9.1.6, 9.2.3, and 12.0.1 immediately. Any system running code from these versions should be treated as potentially compromised; secrets, API keys, and credentials used in affected environments warrant rotation. Organisations relying on npm packages in CI/CD pipelines face heightened risk, as build servers often possess broad access to deployment credentials.
This incident underscores a critical weakness in open-source governance: npm's lack of mandatory code review, cryptographic signing requirements, or strong identity verification for maintainers. A single compromised account or weak credentials can poison a package consumed by hundreds of thousands of projects. The detection by Socket and StepSecurity suggests the community still lacks robust, automated malware detection across the npm registry, and relies on third-party security vendors rather than registry-level safeguards.
The broader implication is that supply-chain attacks via popular npm packages are now a reliable attack vector. Defenders should implement deeper package verification practices: using lock files with integrity hashes, implementing dependency scanning in CI/CD pipelines, and considering private registry mirrors for critical dependencies. This incident also signals that npm package adoption decisions must now factor in active monitoring and rapid response capabilities, not just functional requirements.
Sources