{"id":72563,"date":"2026-05-15T13:11:41","date_gmt":"2026-05-15T13:11:41","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/malicious-node-ipc-versions-spotted-stealing-aws-and-private-keys\/"},"modified":"2026-05-15T13:11:41","modified_gmt":"2026-05-15T13:11:41","slug":"malicious-node-ipc-versions-spotted-stealing-aws-and-private-keys","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/malicious-node-ipc-versions-spotted-stealing-aws-and-private-keys\/","title":{"rendered":"Malicious node-ipc Versions Spotted Stealing AWS and Private Keys"},"content":{"rendered":"<p><b>(Originally posted on : Bitcoin News )<\/b><br \/>\n<\/p>\n<div>\n<p><span style=\"font-weight:400\"><\/p>\n<div class=\"@container mb-[25px] rounded-sm overflow-clip py-0.5 pr-0.5 pl-2.5 bg-success-100\">\n<div class=\"flex flex-col gap-m overflow-clip rounded-[6px] !bg-success-10 p-3 @[420px]:p-m\">\n<h2 class=\"m-0 flex items-center gap-s text-[19px] !text-[#1c1c1c] md:text-[20px]\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"16\" height=\"10\" viewbox=\"0 0 16 10\" fill=\"none\" class=\"shrink-0 text-success-100\" aria-hidden=\"true\"><path d=\"M1 1.5h14\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\"\/><path d=\"M1 8.5h10\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\"\/><\/svg><span>Key Takeaways<\/span><\/h2>\n<ul class=\"m-0 flex list-none flex-col gap-m pl-0\">\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">Slowmist flagged three malicious node-ipc versions on May 14, targeting over 822,000 weekly npm downloads.<\/span><\/li>\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">The 80KB payload steals 90+ credential categories, including AWS keys and .env files via DNS tunneling.<\/span><\/li>\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">Developers must immediately pin to clean node-ipc versions and rotate all potentially exposed secrets.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p><\/span><\/p>\n<h2><span style=\"font-weight:400\">Developer Secrets at <span>Stake<\/span><\/span><\/h2>\n<p><span style=\"font-weight:400\"> <span>Blockchain<\/span> security firm Slowmist <a href=\"https:\/\/x.com\/SlowMist_Team\/status\/2055120695240360404\" target=\"_blank\" rel=\"noopener noreferrer\">flagged the attack<\/a> via its Misteye threat intelligence system, identifying three rogue releases, namely versions 9.1.6, 9.2.3, and 12.0.1. The node-ipc package, used to enable inter-process communication (IPC) in <span>Node<\/span>.js environments, is embedded across <span>decentralized application<\/span> ( <span>dApp<\/span>) build pipelines, CI\/CD systems, and developer tooling throughout the <span>crypto<\/span> ecosystem.<\/span><\/p>\n<figure id=\"attachment_814283\" aria-describedby=\"caption-attachment-814283\" style=\"width:1049px\" class=\"wp-caption aligncenter\"><figcaption id=\"caption-attachment-814283\" class=\"wp-caption-text\">The malicious releases were identified as versions 9.1.6, 9.2.3, and 12.0.1.<\/figcaption><\/figure>\n<p><span style=\"font-weight:400\">The package averages over 822,000 weekly downloads, making the attack surface substantial. Each of the three malicious versions carries an identical 80 KB obfuscated payload appended to the package\u2019s CommonJS bundle. The code fires unconditionally on every require(\u2018node-ipc\u2019) call, meaning any project that installed or updated to the tainted releases ran the stealer automatically, with no user interaction needed.<\/span><\/p>\n<h2><span style=\"font-weight:400\">What the Malware Steals<\/span><\/h2>\n<p><span style=\"font-weight:400\">The embedded payload targets over 90 categories of developer and cloud credentials, including Amazon Web Services (AWS) tokens, Google Cloud and Microsoft Azure secrets, SSH keys, Kubernetes configurations, Github CLI tokens, and shell history files. Pertinent to the <a href=\"http:\/\/www.bitcoin.com\/get-started\/a-quick-introduction-to-crypto\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">crypto<\/a> space, the malware targets .env files, which frequently store <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-a-private-key\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">private keys<\/a>, RPC <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-a-bitcoin-node\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">node<\/a> credentials, and exchange API secrets. Stolen data is exfiltrated via DNS tunneling, routing files through Domain Name System queries to evade standard network monitoring tools.<\/span><\/p>\n<p><span style=\"font-weight:400\">Researchers at Stepsecurity confirmed the attacker <\/span><a href=\"https:\/\/www.stepsecurity.io\/blog\/node-ipc-npm-supply-chain-attack\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight:400\">never touched node-ipc\u2019s original codebase<\/span><\/a><span style=\"font-weight:400\">. Instead, they exploited a dormant maintainer account by re-registering its expired email domain. <\/span><\/p>\n<p><span style=\"font-weight:400\">The domain <\/span><span style=\"font-weight:400\">atlantis-software.net<\/span><span style=\"font-weight:400\"> expired on January 10, 2025, with the attacker re-registering it via Namecheap on May 7, 2026. They then triggered a standard npm password reset, gaining full publish access without the original maintainer\u2019s knowledge.<\/span><\/p>\n<p><span style=\"font-weight:400\">The malicious versions remained live on the registry for approximately two hours before detection and removal. Any project that ran npm install or auto-updated dependencies during that window should be treated as potentially compromised. <\/span><span style=\"font-weight:400\">Security teams have recommended auditing lock files immediately for versions 9.1.6, 9.2.3, or 12.0.1 of node-ipc and rolling back to the last verified clean release. <\/span><\/p>\n<p><span style=\"font-weight:400\">Supply chain attacks on the npm ecosystem have <\/span><a href=\"https:\/\/safeheron.com\/blog\/npm-supply-chain-news-lessons-from-attacks-2026\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight:400\">become a persistent threat<\/span><\/a><span style=\"font-weight:400\"> in 2026, with <a href=\"http:\/\/www.bitcoin.com\/get-started\/a-quick-introduction-to-crypto\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">crypto<\/a> projects serving as high-value targets due to the direct financial access their credentials can provide.<\/span><\/p>\n<p> <!-- --><\/div>\n<p><a href=\"https:\/\/news.bitcoin.com\/slowmist-node-ipc-supply-chain-attack-npm-2026\/\">Source link <\/a><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Originally posted on : Bitcoin News ) Key Takeaways Slowmist flagged three malicious node-ipc versions on May 14, targeting over 822,000 weekly npm downloads. The 80KB payload steals 90+ credential categories, including AWS keys and .env files via DNS tunneling. Developers must immediately pin to clean node-ipc versions and rotate all potentially exposed secrets. Developer [&hellip;]<\/p>\n","protected":false},"author":3947362404,"featured_media":72564,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[32],"tags":[],"_links":{"self":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/72563"}],"collection":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/users\/3947362404"}],"replies":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/comments?post=72563"}],"version-history":[{"count":0,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/72563\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media\/72564"}],"wp:attachment":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media?parent=72563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/categories?post=72563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/tags?post=72563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}