node-ipc npm Package Attack: Key Details and Response

node-ipc npm Package Attack: Key Details and Response

Posted on By CWS

The node-ipc npm package, a crucial JavaScript library, has once again been compromised. According to reports from Socket and Stepsecurity, three recent versions of this widely-used package, with over 822,000 weekly downloads, have been found to include obfuscated malicious code. This marks the second significant breach of the node-ipc package since 2022.

Details of the Compromised Versions

The affected versions include [email protected], [email protected], and [email protected]. Security researcher Ian Ahl (@TekDefense), CTO at Permiso, identified a dormant maintainer account as the likely attack vector. The attacker exploited this vulnerability by re-registering a lapsed domain, which allowed unauthorized access to the package’s publishing rights.

The malicious components are embedded within the CommonJS entrypoint, node-ipc.cjs, through an obfuscated IIFE. However, the ESM module remains unaffected. Developers utilizing the require(“node-ipc”) function are primarily at risk, whereas purely ESM users may remain unaffected.

Technical Breakdown of the Attack

The payload activates upon module load, leveraging setImmediate() to fork a detached process. It collects host fingerprints through OS metadata and harvests credentials and configuration files from over 100 different patterns, including AWS, Azure, GCP, and more. The harvested data is archived into a gzip tarball and exfiltrated via DNS TXT queries using a deceptive Azure-like domain.

The exfiltration method can generate a substantial number of DNS TXT queries, serving as a potential detection signal. Additionally, all files in the malicious tarballs are marked with a forensic timestamp of October 26, 1985, aiding in identifying compromised copies.

Response and Recommendations

Developers are urged to immediately uninstall the compromised versions and thoroughly audit package-lock.json, yarn.lock, and local npm caches. Any exposed environment variables or credentials should be considered compromised and rotated promptly. Security teams should monitor DNS TXT query traffic and block the malicious resolver domain.

This incident underscores the importance of maintaining vigilant security practices within the software development lifecycle. Staying informed and proactive is crucial to safeguarding against such sophisticated attacks.

For more updates on this situation, follow our channels on Google News, LinkedIn, and X.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Hacking Groups Exploit OpenClaw to Deploy Malware Hacking Groups Exploit OpenClaw to Deploy Malware Cyber Security News
Microsoft Purview DLP to Restrict Microsoft 365 Copilot in Processing Emails With Sensitive Labels Microsoft Purview DLP to Restrict Microsoft 365 Copilot in Processing Emails With Sensitive Labels Cyber Security News
FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User Cyber Security News
Google Drive Desktop for Windows Vulnerability Grants Full Access to Another User’s Drive Google Drive Desktop for Windows Vulnerability Grants Full Access to Another User’s Drive Cyber Security News
Hacker Exploits AI to Breach Mexican Government Systems Hacker Exploits AI to Breach Mexican Government Systems Cyber Security News
China-Linked Group Targets Exchange Servers with Malware China-Linked Group Targets Exchange Servers with Malware Cyber Security News