Researchers detected malicious activity in newly published versions of the node-ipc npm package available for approx. 2 hours. This package contained malware with an obfuscated infostealer. The malware fingerprints the host environment, enumerates and reads local files, compresses collected data, wraps it in a cryptographic envelope, and attempts exfiltration through a custom DNS server. Fire once, grab everything, disappear. No trace left on disk, no process lingering, no network connection to close just DNS queries that look like noise and a cleaned-up tmp file. If you’re watching DNS traffic though, this one is obvious.
This isn’t actually the first time that node-ipc has had malicious code inserted into it, back in 2022 the maintainers added “protestware” in response to the Ukraine-Russia War. This malware checked if the victim’s IP was located in Russia or Belarus and if it was would wipe their files and replace them with a heart emoji.
For Semgrep Customers
Semgrep has an advisory and rule to cover this so you can find to check your projects.
Trigger a new scan if you haven't recently on your projects.
Check the advisories page to see if any projects have installed these package versions recently: https://semgrep.dev/orgs/-/advisories/ssc-a83754ff-9ed1-42bb-b6b0-dd65980b1fb4
Check your dependency filter for matches. If you see “No matching dependencies” you are not actively using the malicious dependency in any of your projects. If you did match, additional advice on remediation and indicators of compromise are below.
If you matched: follow the remediation advice below.
Remediation Advice
Immediately rotate credentials listed in the Indicators of Compromise section. This malware is very broad and includes dev-related credentials e.g. cloud credentials, SSH keys and GitHub Actions, but also more general credentials such as Claude, Salesforce, MS365, and more. Note that if your affected device is a Mac environment there are extra credentials that are exfiltrated listed on the bottom of the blog.
Indicators of Compromise
Packages
node-ipc@9.1.6
node-ipc@9.2.3
node-ipc@12.0.1
Domains / C2 Servers
DNS-based exfil to bt.node.js via sh.azurestaticprovider.net
Files / System Artifacts
Node-ipc.cjs:1271
fixtures/f_{sha256hash}_{filename}
fixtures/_paths.txt
Data Exfiltrated
Category | Target | Files / Paths |
Cloud | AWS | ~/.aws/credentials, ~/.aws/config~/.aws/sso/cache/*, ~/.aws/cli/cache/* |
Azure | ~/.azure/accessTokens.json, ~/.azure/msal_token_cache.*~/.azure/azureProfile.json, ~/.azure/config~/.azure/msazure.login/*, ~/.azure/azd/* | |
GCP | ~/.config/gcloud/credentials.db, ~/.config/gcloud/access_tokens.db~/.config/gcloud/application_default_credentials.json~/.config/gcloud/configurations/*, ~/.config/gcloud/legacy_credentials/* | |
OCI | ~/.oci/config, ~/.oci/sessions/* | |
Alibaba Cloud | ~/.aliyun/config.json | |
IBM Bluemix | ~/.bluemix/config.json | |
DigitalOcean | ~/.config/doctl/config.yaml | |
Hetzner | ~/.config/hcloud/cli.toml | |
Scaleway | ~/.config/scw/config.yaml | |
Linode | ~/.config/linode-cli/* | |
Fly.io | ~/.fly/config.yml | |
Vercel | ~/.vercel/auth.json | |
Railway | ~/.railway/config.json | |
Snowflake | ~/.snowflake/connections.toml | |
Doppler | ~/.doppler.yaml | |
Secrets mgmt | /.env, /.env.local, **/.env.production | |
Dev Tools | SSH | ~/.ssh/id*, ~/.ssh/config, ~/.ssh/known_hosts, ~/.ssh/authorized_keys, /etc/ssh/ssh_host_*_key |
Git | ~/.gitconfig, .git/config, .git-credentials, ~/.git-credentials | |
Package mgrs | ~/.npmrc, .npmrc, ~/.yarnrc, ~/.pypirc | |
Credentials | ~/.netrc | |
Git forges | ~/.config/gh/hosts.yml~/.config/glab-cli/config.yml~/.config/hub | |
Database | /config/database.yml, /wp-config.php | |
AI Tools | Claude | .claude.json, ~/.claude.json, ~/.claude/mcp.json |
Kiro IDE | .kiro/settings/mcp.json, ~/.kiro/settings/mcp.json | |
K8s / Containers | Kubernetes | ~/.kube/config, /etc/kubernetes/admin.conf/etc/rancher/k3s/k3s.yaml/var/run/secrets/kubernetes.io/serviceaccount/token |
Docker | ~/.docker/config.json, ~/.docker/*/config.json/var/lib/docker/containers/*/config.v2.json | |
Podman | ~/.config/containers/auth.json | |
GitLab Runner | /etc/gitlab-runner/config.toml, /etc/gitlab/gitlab.rb | |
Helm | ~/.config/helm/* | |
CI/CD | GitHub Actions | **/.github/workflows/*.yml ci, main, build, release, deploy, dependency-review |
GitLab CI | **/.gitlab-ci.yml | |
IaC | Terraform | ~/.terraform.d/credentials.tfrc.json, ~/.terraform.d/terraform.rc, ~/.terraformrc**/terraform.tfvars, **/*.auto.tfvars |
Ansible | ~/.ansible/* | |
SaaS / CRM | Salesforce | ~/.sf/*, ~/.sfdx/*, ~/.sfdx/auth/* |
M365 / PowerApps | ~/.m365.json, ~/.m365/*~/.powerapps-cli/authprofiles.json, ~/.powerapps-cli/config.json~/.config/Microsoft/Microsoft Teams/... | |
Shell / DB History | History files | ~/.bash_history, ~/.zsh_history, ~/.history, ~/.mysql_history, ~/.psql_history, ~/.python_history, ~/.node_repl_history, ~/.lesshst, ~/.viminfo |
Misc | Keys / certs / VPN | ~/.pki/nssdb/*, ~/.local/share/keyrings/*.keyring, ~/.kde*/kwallet/*.kwl/etc/openvpn/*, ~/.cert/nm-openvpn/*MinIO, AtlasDB CLI configs |
macOS only | Keychains | ~/Library/Keychains/*.keychain-db, ~/Library/Keychains/login.keychain-db |
Firefox | ~/Library/Mozilla/Firefox/Profiles/*/key*.db | |
System / sessions | /private/etc/hosts, /private/etc/openvpn/*, /private/etc/ssh/ssh_host_*_key~/.bash_sessions/* All Linux paths use ~/Library/... equivalents on macOS |
.jpg)
