Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: domain-takeover (1 article)Clear

node-ipc npm package (822K weekly downloads) compromised via expired-domain takeover, three malicious versions published

Socket and StepSecurity confirmed three malicious node-ipc releases (9.1.6, 9.2.3, 12.0.1, with 12.0.1 tagged as 'latest') uploaded to npm on May 14, 2026 by co-maintainer account 'atiertant.' Each version carries a byte-identical 80KB obfuscated payload appended as an IIFE to node-ipc.cjs, so it fires on every require('node-ipc') without using install scripts. The malware fingerprints the host, sweeps for 100+ credential and config targets, archives them, and exfiltrates via DNS rather than HTTP. Permiso's Ian Ahl traced the likely attack chain: the maintainer's recovery domain atlantis-software[.]net expired in Jan 2025, was re-registered by an attacker on May 7, 2026, then used to reset the npm password.

Check
Scan package-lock.json and yarn.lock for node-ipc versions 9.1.6, 9.2.3, or 12.0.1 published on or after May 14, 2026; check developer machines and CI runners for outbound DNS to non-corporate resolvers since that date.
Affected
Any Node.js project or CI pipeline that ran `npm install node-ipc` on or after May 14, 2026 without a pinned safe version (9.1.5 or 12.0.0). Developer workstations and CI runners with broad credential scope face highest risk.
Fix
Pin node-ipc to 9.1.5 or 12.0.0, purge npm and yarn caches, then rotate cloud access keys, GitHub PATs, SSH keys, and any secrets that touched affected machines. Block egress to attacker DNS resolvers from build infrastructure.