node-ipc Supply Chain Attack: Malicious Code Steals Passwords

May 16, 2026 23:19 /MEDIUM

Written by SCW Threat Desk Threat Intelligence

SCW israel

The open-source library node-ipc has again been compromised, with malicious code discovered that is designed to steal passwords. Cyber News - Erez Dasa reports that the affected versions are node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. This incident marks a critical repeat offense for a library that previously saw its developer intentionally embed disruptive code targeting Russian organizations.

Despite the prior malicious activity, node-ipc remains widely popular, with hundreds of thousands of weekly downloads. This new compromise, however, appears to stem from an external actor, not the original developer, indicating a direct supply chain attack rather than an insider threat. The persistence of this library’s usage, even after a notorious prior incident, highlights a significant blind spot in developer vetting and dependency management.

Attackers consistently target popular open-source components because of their broad reach. A single malicious commit can infect countless downstream projects and their users. For defenders, this means maintaining a stringent software supply chain security posture is non-negotiable. Trusting a dependency solely on its popularity is a recipe for disaster.

What This Means For You

If your organization uses `node-ipc`, immediately audit your dependencies for versions `9.1.6`, `9.2.3`, or `12.0.1`. If found, upgrade to a known clean version and scan any systems that might have run code incorporating these compromised libraries for signs of credential exfiltration. This isn't just about patching; it's about understanding your full exposure to a tainted supply chain.

What This Means For You

Related coverage on Telegram

MedusaLocker Ransomware Group Details Financial Motivation, Operational Shifts

Critical RCE in protobuf.js Demands Immediate Patching