Malicious node-ipc versions published to npm in suspected maintainer account compromise

On May 14, 2026, multiple malicious versions of the npm package node-ipc were published, specifically [email protected], [email protected], and [email protected], which contained an obfuscated credential-stealing payload. The attack likely exploited a legitimate npm maintainer account, potentially through the recovery of an expired email domain, rather than compromising the project's CI/CD pipeline. Organizations that installed or built from these versions are advised to treat exposed secrets in developer, CI/CD, and cloud environments as compromised. Snyk has issued an advisory, SNYK-JS-NODEIPC-16697063, to assist in identifying vulnerable dependency paths and prioritizing remediation. The incident is distinct from a previous 2022 supply chain attack involving node-ipc and focuses on credential theft rather than protestware behavior. Reports indicate that the malicious code was added to the CommonJS entry point without relying on install-time scripts, allowing it to execute at runtime when the package was imported. Security vendors have identified over 90 credential categories targeted by the payload, which exfiltrated data to infrastructure using the azurestaticprovider[.]net domain. The incident underscores the vulnerability of open source ecosystems to supply chain attacks, particularly through dormant or lightly maintained packages, and highlights the need for rigorous monitoring and the implementation of security measures such as multi-factor authentication (MFA) for npm publishers.