"Researchers at Socket reported that the suspicious versions were flagged within approximately three minutes of publication, classifying the activity as malware almost immediately. Their investigation found that the malicious node-ipc releases contained heavily obfuscated code designed to fingerprint systems, collect local files, compress stolen data, encrypt the payload, and exfiltrate information through DNS-based communication channels."
"The latest attack does not appear to be a typosquatting campaign. Instead, analysts believe the threat actor republished or reintroduced malicious functionality directly into legitimate node-ipc package versions. Researchers also pointed to earlier compromises connected to the package."
"In 2022, versions 10.1.1 and 10.1.2 contained geo-targeted destructive malware that checked whether systems were located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the controversial "peacenotwar" dependency associated with unauthorized file-writing behavior."
"The newly discovered malware specifically affects the CommonJS implementation of the npm package. According to the technical analysis, the malicious payload exists only in the node-ipc.cjs file. The ESM wrapper, node-ipc.js, remained"
Malicious releases of the widely used node-ipc npm package were found to contain obfuscated credential-stealing and backdoor functionality. Security analysts confirmed that recently published package tarballs were infected with malware that harvested sensitive data from developer systems and CI environments. The malicious code fingerprinted systems, collected local files, compressed stolen data, encrypted the payload, and exfiltrated information through DNS-based communication channels. The suspicious activity was flagged within about three minutes of publication. The attack was not attributed to typosquatting; instead, malicious functionality was republished or reintroduced into legitimate node-ipc versions. Earlier compromises included geo-targeted destructive malware in versions 10.1.1 and 10.1.2 and unauthorized file-writing behavior tied to the peacenotwar dependency in versions 11.0.0 and 11.1.0. The new payload affected only the CommonJS implementation in node-ipc.cjs, while the ESM wrapper node-ipc.js remained unaffected.
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]