"Slowmist flagged three malicious node-ipc versions on May 14, targeting over 822,000 weekly npm downloads. The 80KB payload steals 90+ credential categories, including AWS keys and .env files via DNS tunneling. Developers must immediately pin to clean node-ipc versions and rotate all potentially exposed secrets."
"Each of the three malicious versions carries an identical 80 KB obfuscated payload appended to the package's CommonJS bundle. The code fires unconditionally on every require(node-ipc') call, meaning any project that installed or updated to the tainted releases ran the stealer automatically, with no user interaction needed."
"The embedded payload targets over 90 categories of developer and cloud credentials, including Amazon Web Services (AWS) tokens, Google Cloud and Microsoft Azure secrets, SSH keys, Kubernetes configurations, Github CLI tokens, and shell history files. Pertinent to the crypto space, the malware targets .env files, which frequently store private keys, RPC node credentials, and exchange API secrets."
"Stolen data is exfiltrated via DNS tunneling, routing files through Domain Name System queries to evade standard network monitoring tools. Researchers at Stepsecurity confirmed the attacker never touched node-ipc's original codebase. Instead, they exploited a dormant maintainer account by re-registering its expired email domain."
Three malicious node-ipc versions were flagged, each containing an identical 80 KB obfuscated payload appended to the CommonJS bundle. The payload executes unconditionally on every require('node-ipc') call, so any project that installed or updated to the tainted releases runs the stealer automatically without user interaction. The malware targets more than 90 categories of developer and cloud credentials, including AWS tokens, Google Cloud and Microsoft Azure secrets, SSH keys, Kubernetes configurations, GitHub CLI tokens, and shell history files. It also targets .env files that often store private keys, RPC node credentials, and exchange API secrets. Exfiltration occurs through DNS tunneling using DNS queries to evade network monitoring. The attacker did not modify the original codebase and instead re-registered an expired email domain tied to a dormant maintainer account.
Read at news.bitcoin.com
Unable to calculate read time
Collection
[
|
...
]