In May 2026, attackers published compromised versions of the widely used Node.js package node-ipc on the npm registry. These versions contained hidden credential-stealing code, potentially exposing sensitive developer and cloud environment credentials for organizations relying on these packages.
- Malicious node-ipc versions contained obfuscated credential theft payloads loaded via require("node-ipc")
- Attack likely exploited npm maintainer account through an expired email domain recovery path
- Exposed secrets may impact developer, cloud, CI/CD, SSH, GitHub, and Kubernetes credentials
Threat signal
In May 2026, several versions of the node-ipc package published to npm were found to include obfuscated code designed to steal credentials silently. The malicious code was embedded directly into the CommonJS module entry point, triggered anytime applications loaded the module with require("node-ipc"). This strategic embedding increases risks as many projects use node-ipc either directly or transitively across the npm ecosystem.
While node-ipc has been involved in previous supply chain concerns, such as protestware in 2022, this incident involved a distinct form of attack focused on credential exfiltration rather than destructive behavior. Public research shows that the injected payload aimed to stealthily collect secrets, increasing exposure to subsequent ransomware or identity-based compromises.
Operator exposure
Organizations that installed or built software using the compromised node-ipc@9.1.6, 9.2.3, or 12.0.1 versions must consider credentials exposed within their developer, CI/CD, cloud, SSH, GitHub, or Kubernetes environments as potentially compromised. The stealthy nature of the payload complicates detection, emphasizing the need for comprehensive audits across development and deployment toolchains including package caches and artifact repositories.
This incident also underscores the risk of attacker access through social engineering or identity recovery processes tied to maintainer accounts. Evidence suggests that attackers may have hijacked an expired email domain related to the npm maintainer identity to regain publishing rights, bypassing the need to breach npm infrastructure or source code repositories. This expands the attack surface to include identity lifecycle and account recovery security.
What teams should watch
Security, DevOps, and development teams should prioritize identifying all dependency paths to affected node-ipc versions using advisory SNYK-JS-NODEIPC-16697063 and update or remove vulnerable packages immediately. They must also audit all related secrets and tokens accessed via these environments and rotate credentials that may have been leaked.
Teams should review access controls on maintainer and publishing accounts for all software supply chain dependencies to reduce exposure to account recovery abuse or domain-related hijacks. This includes monitoring domain expirations tied to email addresses in identity systems, strengthening multifactor authentication, and verifying recovery workflows to harden against identity compromise in open-source package ecosystems.