Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalware
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Cybersecurity researchers are sounding the alarm about “malicious activity” found in newly published versions of node-ipc. According to The Hacker News, citing Socket and StepSecurity, three specific versions of the npm package have been confirmed as malicious: node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. Early analysis indicates these versions contain a stealer backdoor.

This is a critical supply chain threat, directly targeting developers. An infected node-ipc package in a project means an attacker gains a foothold to exfiltrate sensitive data. Think about the impact: developer secrets, API keys, intellectual property, and even source code could be siphoned off, leading to broader organizational compromise. The attacker’s calculus here is clear – compromise the builder, compromise everything they build and touch.

Defenders need to move quickly. This isn’t just about a single vulnerability; it’s about the integrity of your development pipeline. CISOs must ensure their teams are auditing dependencies, verifying package integrity, and implementing strict supply chain security controls. This incident underscores why reliance on open-source components demands rigorous vetting and continuous monitoring.

What This Means For You

  • If your development teams use `node-ipc`, immediately audit your projects for versions `9.1.6`, `9.2.3`, and `12.0.1`. Remove or downgrade these packages. Then, assume compromise and rotate all developer credentials, API keys, and secrets that might have been present on machines that used these infected packages. This is a direct threat to your intellectual property and build environment.

Related ATT&CK Techniques

T1195.002 Compromise Software Supply Chain Initial Access T1071.001 Web Protocols Command and Control T1041 Exfiltration Over C2 Channel Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1071.001 Execution

Suspicious node-ipc Package Installation - Supply Chain Compromise

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
node-ipc-backdoor Backdoor npm package: node-ipc@9.1.6
node-ipc-backdoor Backdoor npm package: node-ipc@9.2.3
node-ipc-backdoor Backdoor npm package: node-ipc@12.0.1
node-ipc-backdoor Information Disclosure Stealer Backdoor targeting developer secrets

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor socket.dev Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Socket All breaches, IOCs & vendor exposure

Related coverage on Socket

OpenAI Confirms Breach in TanStack Supply Chain Attack

OpenAI has confirmed a security breach impacting two employee devices as a result of the recent TanStack supply chain attack. BleepingComputer reports that this incident,...

threat-inteldata-breachmalware
/SCW Research /HIGH /⚙ 3 Sigma

Windows 11, Microsoft Edge Hacked at Pwn2Own Berlin

The first day of Pwn2Own Berlin 2026 saw security researchers successfully exploit 24 unique zero-day vulnerabilities in Windows 11 and Microsoft Edge. According to BleepingComputer,...

threat-inteldata-breachmalwarevulnerabilitymicrosoft
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks Highlight Week's Exploits

This past week has seen a relentless barrage of security incidents, highlighting both novel attack vectors and the resurgence of long-standing vulnerabilities. According to The...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 1 Sigma