Malicious node-ipc releases steal AWS keys, .env files

On May 14 security firm Slowmist confirmed three malicious releases of the node-ipc Node.js package. The compromised versions — 9.1.6, 9.2.3 and 12.0.1 — were published to the npm registry and appeared in projects that installed or auto-updated the library. node-ipc averages about 822,000 weekly downloads. Each tainted release carried an identical 80 KB obfuscated payload appended to the package’s CommonJS bundle that executed automatically when code called require(‘node-ipc’).

The payload targeted more than 90 types of developer and cloud credentials. Items identified as exfiltrated included AWS tokens, Google Cloud and Microsoft Azure credentials, SSH keys, Kubernetes configuration files, GitHub CLI tokens, shell history files and .env files that often contain private keys, RPC credentials and exchange API secrets. Stolen data was sent out using DNS tunneling, which encodes files inside DNS queries to evade normal network monitoring.

Researchers at Stepsecurity found the attacker did not alter the original node-ipc source code. Instead the attacker re-registered an expired maintainer contact domain, atlantis-software.net, which had lapsed on January 10, 2025. The domain was re-registered on May 7, 2026, and used to request an npm password reset and publish the malicious releases. The tainted versions were available on the registry for roughly two hours on May 14 before being removed.

Projects that ran npm install, performed dependency updates, or had continuous integration systems that fetched dependencies during the two-hour window should be treated as potentially compromised. Security teams recommended auditing lockfiles and package.json entries for node-ipc versions 9.1.6, 9.2.3 and 12.0.1; rolling back to the last verified clean release and pinning dependencies; and rotating any credentials that may have been exposed, including AWS access keys, cloud provider secrets, SSH keys and API tokens. Teams were also advised to inspect CI/CD logs and runner environments for evidence of exfiltration and to revoke or replace any compromised secrets.

Slowmist and Stepsecurity urged stronger maintainer account controls and registry protections to prevent attackers from gaining publish access by re-registering expired contact domains. npm users were advised to verify maintainer contact information and apply additional verification for critical packages. Organizations were advised to monitor for unusual DNS activity that can indicate tunneling-based exfiltration.