Recent findings by cybersecurity experts have raised concerns over new versions of the node-ipc npm package, identified as harboring malicious functionalities. Socket and StepSecurity have confirmed that versions 9.1.6, 9.2.3, and 12.0.1 contain harmful codes intended to exploit developer secrets.
Identified Malicious Behavior
The analysis reveals that these versions of node-ipc are equipped with stealer and backdoor capabilities. The malware is designed to fingerprint the host system, analyze local files, and exfiltrate sensitive data through a network endpoint using intricate DNS logic. This behavior is triggered when the package is executed at runtime, aiming to siphon off various developer credentials and cloud secrets to a remote command-and-control server.
Among the targeted data categories are credentials for major cloud providers like Amazon Web Services, Google Cloud, and Microsoft Azure. Other affected data includes SSH keys, Kubernetes tokens, and GitHub CLI configurations. The collected information is compressed into a GZIP archive before being sent to the domain “sh.azurestaticprovider[.]net”.
Suspicious Account Activity
The suspicious versions were released by an account named “atiertant,” which is not linked to the original package creator “riaevangelist.” The presence of “atiertant” in the maintainer list without a publication history suggests either credential compromise or intentional addition for malicious purposes. The package, previously dormant for 21 months, was updated with the malicious code.
Unlike typical malware, this variant does not utilize npm lifecycle hooks but embeds an Immediately Invoked Function Expression (IIFE) within “node-ipc.cjs.” This ensures that the malicious payload activates upon any instance of the package being required.
Technical Insights and Response
The payload includes a SHA-256 fingerprint check, comparing it against a pre-calculated hash, indicating targeted attacks on specific projects or developers. The attackers have pre-determined the hash values for these targets, making the malware highly selective.
Additionally, the malware employs a secondary method for data exfiltration, utilizing DNS TXT records to bypass local DNS security. The system’s DNS resolver is overridden to use Google’s Public DNS, facilitating stealthy data transfer directly to the command-and-control IP.
In light of these developments, users are strongly advised to remove the affected node-ipc versions and replace them with clean versions 9.2.1 or 12.0.0. It is crucial to rotate credentials, audit npm publishing activities, and scrutinize workflow and cloud logs for any unauthorized actions.
Past incidents with node-ipc have included deliberate insertion of destructive capabilities as a form of protest, illustrating the package’s history of security concerns. This recent incident underscores the need for vigilance and proactive security measures.
