A popular npm package called node-ipc has been compromised, with hackers publishing malicious versions that bundle credential stealing malware. The root cause of the compromise was an expired domain name that attackers managed to register in order to hijack a maintainer’s account.The node-ipc package has had malware added to its code in the past. In March 2022, following Russia’s invasion of Ukraine, the project’s creator intentionally added malicious code to the program to wipe files on systems with Russian or Belarusian IP addresses.Node-ipc is a Node.js module that implements support for local and remote Inter-Process Communication over various types of socket across all major platforms. One use case is in implementing complex multi-process neural networks in JavaScript, but the module is also used as a dependency for 424 other projects, and receives almost 700K weekly downloads.On Thursday, attackers managed to publish three trojanized versions across three different branches of the project: 9.1.6, 9.2.3 and 12.0.1. All new versions contained an 80KB obfuscated credential-stealing payload inside the node-ipc.cjs file.The malicious code searches for and steals a wide range of credentials for CI/CD tools, cloud services and infrastructure, Kubernetes, SSH, and AI coding agents. The data is exfiltrated through DNS TXT queries rather than HTTP connections.Since node-ipc is a dependency for hundreds of other packages, which in turn could be dependencies for even more packages, this attack could have a large blast radius. Users should immediately scan their systems to determine if they have any of the compromised versions installed, and if they do, treat the machine and any access token, environment variable, and API key stored on it as compromised.Exhaustive credential collection and sneaky exfiltrationThe malicious payload is decrypted and executed whenever other applications load the package through require(‘node-ipc’). The trojanized versions were designed to remain fully functional to avoid immediate detection, which together with other decisions attackers took, such as data exfiltration via DNS TXT, suggest stealthiness was a top priority.Once executed, the malicious code collects information about the host system, including operating system version, hostname, and environment variables. It then starts looking for credentials in various locations based on the detected OS.“The payload chooses between separate decoded target lists for macOS and Linux/default platforms,” researchers from Socket.dev said in their analysis. “The lists are not identical. In the analyzed payload, the macOS list contains 113 patterns and the Linux/default list contains 127 patterns.”The target lists are extensive and include:Configuration files for AWS, Azure, GCP, OCI, DigitalOcean, Scaleway, Hetzner, Fly, Vercel, Railway, Alibaba Cloud, IBM Cloud, Linode, MinIO, Snowflake, Doppler, and Salesforce;SSH keys and SSH configuration;Kubernetes, Docker, Helm, Rancher, and service-account material;npm, Yarn, Netrc, Git, GitHub CLI, GitLab CLI, and Hub credentials;Terraform credentials and tfvars files;.env, .env.local, .env.production, database configuration files, shell histories, and database CLI histories;macOS Keychain database files;Firefox profile key database files on macOS;Linux keyrings and KWallet files;FileZilla, Remmina, OpenVPN, and related connection profiles;Microsoft Teams local storage and IndexedDB paths.While browser credential stores are not targeted directly, macOS keychain databases can contain system and browser credentials, so those credentials should be considered compromised as well and rotated.All the collected data is archived in a GZIP file, which is then split into chunks and exfiltrated by making DNS TXT queries on an attacker-controlled domain whose name is similar to that of Microsoft’s legitimate Azure Static Web Apps domain.Since the attackers control the DNS server for their domain name, they can see the TXT record queries made by the infected systems and can reconstruct the archives on their end from the leaked bytes. The Socket researchers estimate that a 500KB file would require around 29,400 TXT queries to exfiltrate in this way.“The payload does not establish persistence in the decoded sample,” the researchers said. “There is no observed cron, launchd, rc.d, service installation, or second-stage download. The operational impact is concentrated in the execution window: collection, archive creation, DNS TXT exfiltration, and attempted cleanup.”Expired domain led to email takeoverThe malicious node-ipc versions were published from an npm account called atiertant, which belongs to one of the several developers with maintainer access to the package. Atiertant had never used his access to publish new node-ipc versions before, and has had no activity on node-ipc or any other npm package he has access to since 2022.Security researchers noticed that the email address for atiertant’s account was hosted on a domain called atlantis-software.net that had expired in January 2025 and was re-registered earlier this month, most likely by the attackers. It was then just a matter of setting up an email server, recreating atiertant’s email address and performing a password reset on the account.This highlights some of the security challenges open-source software projects face. While periodically reviewing access lists for dormant and unused accounts is a general security recommendation for companies, open-source projects are maintained by groups of volunteers, and it’s not unusual for people to take long breaks from contributing to projects, especially if those projects have reached a high level of maturity and feature completeness so they no longer get frequent updates.It’s also likely that the attackers did not target node-ipc from the start, they just searched npm for accounts with email addresses on custom domain names, then checked if any of those domain names had expired. This means there might be other dormant accounts out there susceptible to email takeover using the same method.The Socket.dev report contains additional recommendations for both users and developers, as well as file hashes and other indicators of compromise that can be used by security teams to create detections.