Popular node-ipc npm Package Infected with Credential Stealer

Recent versions of the npm package node-ipc have been deemed malicious by Socket's threat feed, detected within minutes of publication. The affected versions—9.1.6, 9.2.3, and 12.0.1—contain obfuscated malware designed to fingerprint host environments, read and compress local files, and exfiltrate data via DNS. This malicious activity seems linked to a dormant maintainer account compromised through an expired email domain. The threat involves the CommonJS entrypoint, which executes the payload that collects sensitive data from developer environments and attempts exfiltration through DNS queries. The payload does not persist but can be triggered again if called by other code. Developers are advised to avoid installing these versions and audit any installations of node-ipc, particularly those versions. The investigation is ongoing, and further analysis by Socket’s Threat Research team aims to confirm the full scope of the compromise and extract indicators of compromise.