822K Downloads at Risk: Malicious node-ipc Versions Spotted Stealing AWS and Private Keys

📄Full Article· Automatically extracted by trafilatura2827 words

Three malicious versions of node-ipc, a foundational Node.js library used across Web3 build pipelines, were confirmed compromised on May 14, with security firm Slowmist warning that crypto developers relying on the package face immediate credential theft risk. 822K Downloads at Risk: Malicious node-ipc Versions Spotted Stealing AWS and Private Keys Key Takeaways Developer Secrets at Stake Blockchain security firm Slowmist flagged the attack via its Misteye threat intelligence system, identifying three rogue releases, namely versions 9.1.6, 9.2.3, and 12.0.1. The node-ipc package, used to enable inter-process communication (IPC) in Node.js environments, is embedded across decentralized application ( dApp) build pipelines, CI/CD systems, and developer tooling throughout the crypto ecosystem. The package averages over 822,000 weekly downloads, making the attack surface substantial. Each of the three malicious versions carries an identical 80 KB obfuscated payload appended to the package’s CommonJS bundle. The code fires unconditionally on every require(‘node-ipc’) call, meaning any project that installed or updated to the tainted releases ran the stealer automatically, with no user interaction needed. What the Malware Steals The embedded payload targets over 90 categories of developer and cloud credentials, including Amazon Web Services (AWS) tokens, Google Cloud and Microsoft Azure secrets, SSH keys, Kubernetes configurations, Github CLI tokens, and shell history files. Pertinent to the crypto space, the malware targets .env files, which frequently store private keys, RPC node credentials, and exchange API secrets. Stolen data is exfiltrated via DNS tunneling, routing files through Domain Name System queries to evade standard network monitoring tools. Researchers at Stepsecurity confirmed the attacker never touched node-ipc’s original codebase. Instead, they exploited a dormant maintainer account by re-registering its expired email domain. The domain atlantis-software.net expired on January 10, 2025, with the attacker re-registering it via Namecheap on May 7, 2026. They then triggered a standard npm password reset, gaining full publish access without the original maintainer’s knowledge. The malicious versions remained live on the registry for approximately two hours before detection and removal. Any project that ran npm install or auto-updated dependencies during that window should be treated as potentially compromised. Security teams have recommended auditing lock files immediately for versions 9.1.6, 9.2.3, or 12.0.1 of node-ipc and rolling back to the last verified clean release. Supply chain attacks on the npm ecosystem have become a persistent threat in 2026, with crypto projects serving as high-value targets due to the direct financial access their credentials can provide.

Data Status✓ Full text extractedRead Original (Bitcoin.com)

🔍Historical Similar Events· Keyword + Asset Matching1 items

2026-04-23

Bitwarden CLI Supply Chain Attack Puts Crypto Wallet Keys at Risk

Similarity 100%關鍵字 keys/risk

💡 Currently matching via keywords + symbols (MVP) · Will be upgraded to embedding semantic search later

Raw Information

ID:e3297412a8

Source:Bitcoin.com

Published:2026-05-15 10:30:52

Category:General · Export Category neutral

Symbols:Unspecified

Community Votes:+0 / −0 · ⭐ 0 Important · 💬 0 Comments