Node-ipc is a Node.js module that implements assist for native and distant Inter-Course of Communication over varied kinds of socket throughout all main platforms. One use case is in implementing complicated multi-process neural networks in JavaScript, however the module can also be used as a dependency for 424 different initiatives, and receives virtually 700K weekly downloads.
On Thursday, attackers managed to publish three trojanized variations throughout three totally different branches of the challenge: 9.1.6, 9.2.3 and 12.0.1. All new variations contained an 80KB obfuscated credential-stealing payload contained in the node-ipc.cjs file.
The malicious code searches for and steals a variety of credentials for CI/CD instruments, cloud providers and infrastructure, Kubernetes, SSH, and AI coding brokers. The information is exfiltrated by means of DNS TXT queries fairly than HTTP connections.
Since node-ipc is a dependency for a whole bunch of different packages, which in flip could possibly be dependencies for much more packages, this assault might have a big blast radius. Customers ought to instantly scan their programs to find out if they’ve any of the compromised variations put in, and in the event that they do, deal with the machine and any entry token, surroundings variable, and API key saved on it as compromised.
