critical
CVE
Not assigned
CWE
CWE-506
Affected Surface
node-ipc 9.1.6, node-ipc 9.2.3, node-ipc 12.0.1, npm projects loading node-ipc through CommonJS require(), Developer workstations and CI runners that installed and loaded affected node-ipc versions, Credential stores for SSH, npm, GitHub, cloud providers, Kubernetes, Terraform, databases, and AI coding tools
Three malicious node-ipc versions were published to npm on 14 May 2026: 9.1.6, 9.2.3, and 12.0.1. OSV now tracks the incident as MAL-2026-3744, with all three affected versions mapped to the npm package node-ipc.
This is a package compromise, not a typosquat. Public reporting says the releases were published through a maintainer account with npm publish rights. The malicious code was injected into the package artifact’s CommonJS bundle, node-ipc.cjs, so exposure depends on whether an application, build, test, or dependency path loaded the CommonJS entrypoint.
Affected packages and projects
The affected npm package and versions are:
node-ipc@9.1.6node-ipc@9.2.3node-ipc@12.0.1
Projects are at highest risk when they installed one of those versions and loaded node-ipc with require("node-ipc"), or when a transitive dependency did so. Socket and Datadog both report that the reviewed ESM entrypoint was clean while the CommonJS file contained the appended payload. That means an installed package version is the starting point for triage, but runtime loading determines whether the stealer executed.
The impacted environments are the places where node-ipc was installed and loaded: developer laptops, local scripts, application runtimes, CI runners, and release jobs. Those hosts should be treated as credential-exposure candidates because the payload targets secrets commonly present in development and build environments.
What the payload does
The malicious payload is an obfuscated JavaScript block appended to node-ipc.cjs. OSV describes it as an approximately 80 KB payload, and Socket and Datadog report the same malicious node-ipc.cjs hash across the affected versions.
The execution path is unusual because it does not rely on preinstall, install, or postinstall scripts. Instead, it runs when the CommonJS module loads. The payload forks a detached child process with __ntw=1 in the environment, then lets the parent continue so the application can appear to load normally.
Once running, the payload collects:
- Host context such as platform, architecture, hostname,
uname -a, and/etc/hosts. - All process environment variables, which often include CI secrets, API keys, registry tokens, and cloud credentials.
- Local credential files for AWS, Azure, GCP, OCI, Docker, Kubernetes, Helm, Terraform, npm, Git, GitHub CLI, GitLab CLI, SSH, databases, VPN clients, and desktop credential stores.
- AI coding and agent configuration paths reported by SafeDep, including
.claude.json,.claude/mcp.json, and.kiro/settings/mcp.json.
Collected files are placed into a tar archive, gzip-compressed, and written temporarily under an nt-<pid> directory before the payload attempts cleanup.
DNS exfiltration
The exfiltration channel is DNS-based. The decoded configuration reported by Socket, Datadog, and SafeDep includes:
- Resolver bootstrap host:
sh.azurestaticprovider[.]net - Observed IP:
37.16.75[.]69 - DNS query suffix:
bt[.]node[.]js - Query prefixes:
xh,xd, andxf - Environment marker:
__ntw=1 - Export marker:
__ntRun - Payload key material:
qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi
The domain sh.azurestaticprovider[.]net is designed to look similar to legitimate Azure Static Web Apps infrastructure at a glance. The payload resolves that host through public resolvers such as 1.1.1.1 and 8.8.8.8, then uses the resolved host as a DNS server for TXT lookups. The stolen archive data is encoded into the DNS query names themselves under bt[.]node[.]js.
This matters operationally because controls that only inspect HTTP egress or npm lifecycle scripts will miss the primary behavior. Detection needs package inventory, runtime process telemetry, and DNS visibility.
Indicators of compromise
Package indicators:
node-ipc@9.1.6node-ipc@9.2.3node-ipc@12.0.1
File indicators reported by public analysis:
node-ipc.cjsSHA-256:96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144node-ipc-9.1.6.tgzSHA-256:449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75enode-ipc-9.2.3.tgzSHA-256:c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9eanode-ipc-12.0.1.tgzSHA-256:78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
Runtime and network indicators:
- Detached Node.js child processes with
__ntw=1. - Export or string marker
__ntRuninnode-ipc.cjs. - Temporary archive paths matching
nt-<pid>and*.tar.gz. - Archive entries such as
uname.txt,envs.txt,etc/hosts, andfixtures/_paths.txt. - DNS lookups for
sh.azurestaticprovider[.]net. - DNS TXT queries under
bt[.]node[.]js, especially labels beginning withxh.,xd., orxf.. - DNS-like traffic to
37.16.75[.]69:443.
Remediation
Remove the affected package versions and pin or upgrade to a known-clean release line. Public guidance recommends returning to versions such as 9.1.5, 9.2.2, or 12.0.0 where those lines are required, while verifying the resolved dependency tree rather than only package.json.
Search source repositories, lockfiles, package caches, and deployed node_modules directories for the affected versions and the malicious node-ipc.cjs hash. Because this payload runs when the package is loaded, prioritize environments where node-ipc was actually executed through CommonJS.
If an affected version was loaded, rotate credentials available to that host or runner:
- npm tokens and package-publishing credentials.
- GitHub, GitLab, and other source-control tokens.
- SSH private keys.
- AWS, Azure, GCP, OCI, and other cloud credentials.
- Kubernetes service-account tokens and kubeconfigs.
- Docker registry, Terraform, database, VPN, and deployment credentials.
- AI coding tool and MCP credentials stored in local configuration files.
For containment, block sh.azurestaticprovider[.]net, 37.16.75[.]69, and *.bt[.]node[.]js where network controls allow it. Also block direct DNS queries to unapproved resolvers from CI runners and developer workstations, because the payload attempts to bypass local DNS monitoring through public resolver configuration.
Defensive lessons
This compromise reinforces two package-security lessons.
First, install-script controls are not enough. A package can execute malicious code at runtime by poisoning the module entrypoint, and that path may trigger during tests, build steps, server startup, or downstream dependency loading.
Second, newly published versions of widely used packages deserve a cooldown window. The malicious releases appeared as package artifacts without corresponding trustworthy source changes. Registry mirroring, dependency firewalls, and update automation should inspect tarball contents and entrypoint diffs before promoting fresh releases into CI or production builds.