Multiple trojanized versions of the @node-ipc package have were uploaded to npm on 14 May 2026. The malicious versions are: node-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1 The malicious code collects data and exfiltrates it via dns tunneling.
On 14 May 2026 three malicious versions of the node-ipc package were published on npm: node-ipc@9.1.6, node-ip@9.2.3 and node-ipc@12.0.1. The apparent root cause is a compromised maintainer account - the malware was introduced directly to npm, and is not present in the underlying repository.
The malicious code is added to the end of the node-ipc.cjs file and is only run when the malicious package is executed, not when it is installed.
Malware Execution
The malware gathers a wide range of information including many environmental files, shell history, network and VPN data, as well as multiple cloud and developer related secrets (full list below) It then encodes the data, temporarily writes it to disk in a tar.gz archives and exfiltrates it using dns tunneling. After exfiltrating the data, the malware exits and does not establish any persistence. However, the routine would run again if the malicious package is installed again.
Exfiltration Detail
The malware performs a two step process to exfiltrate the data. First it resolves sh.azurestaticprovider.net, via 1.1.1.1 (fallback: 8.8.8.8) stores that IP (currently 37.16.75.69). It then sets <recieved_ip>:443 as the DNS server and exfiltrates data by making DNS_txt requests subdomains crafted to store information. The subdomain structure is as follows: <messagetype>.<machineHex>.<sessionId>.<hmacSig>.<seqNum>.<chunkHex>.bt.node.js. node.js is not a valid domain. Any responses from the server are discarded.