Popular node-ipc npm package compromised to steal credentials

📅 15 May 2026 at 17:10 UTC📰 Bleeping ComputerView original source ↗

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. [...]

🤖 AI BriefingAuto-generated threat analysis

🔍Threat Overview

A supply chain attack compromised the node-ipc npm package, injecting credential-stealing malware into versions 9.1.6, 9.2.3, and 12.0.1, targeting developers with cloud credentials and sensitive local files.

⚙️Technical Details

Affected Systems

node-ipc@9.1.6node-ipc@9.2.3node-ipc@12.0.1

Attack Vectors

CommonJS entrypoint (node-ipc.cjs)DNS TXT queries

💥Impact Assessment

Severity: critical

🛡️Recommended Actions

1Remove affected versions of node-ipc

2Rotate exposed secrets and credentials

3Inspect lockfiles and npm caches

📦Affected Products

node-ipc

Read the full article

This is a curated summary. The complete article is available at Bleeping Computer.

Read on Bleeping Computer ↗

← Back to feed