Key Takeaways:
Slowmist flagged three malicious node-ipc versions on May 14, targeting over 822,000 weekly npm downloads. The 80KB payload steals 90+ credential categories, including AWS keys and .env files via DNS tunneling. Developers must immediately pin to clean node-ipc versions and rotate all potentially exposed secrets.The package averages over 822,000 weekly downloads, making the attack surface substantial. Each of the three malicious versions carries an identical 80 KB obfuscated payload appended to the package’s CommonJS bundle. The code fires unconditionally on every require(‘node-ipc’) call, meaning any project that installed or updated to the tainted releases ran the stealer automatically, with no user interaction needed.
What the Malware StealsThe domain atlantis-software.net expired on January 10, 2025, with the attacker re-registering it via Namecheap on May 7, 2026. They then triggered a standard npm password reset, gaining full publish access without the original maintainer’s knowledge.
The malicious versions remained live on the registry for approximately two hours before detection and removal. Any project that ran npm install or auto-updated dependencies during that window should be treated as potentially compromised. Security teams have recommended auditing lock files immediately for versions 9.1.6, 9.2.3, or 12.0.1 of node-ipc and rolling back to the last verified clean release.
