Recently, hackers have injected malware designed to steal credentials into new versions of node-ipc, a widely used inter-process communication package. This supply chain attack specifically targets npm, a popular package manager for Node.js.
Node-ipc is a Node.js module that facilitates communication between various processes using different types of sockets, such as Unix, Windows, UDP, TLS, and TCP.
Despite the maintainer releasing weaponized versions in March 2022 that aimed at systems based in Russia and Belarus with a data-overwriting module as a form of protest against the Russian invasion of Ukraine, the package continues to receive over 690,000 weekly downloads on npm.
Multiple application security companies, including Socket, Ox Security, and Upwind, have identified three versions of node-ipc as malicious:
The malicious code is hidden within the CommonJS entrypoint (node-ipc.cjs) and is automatically executed when applications are loaded.
The malware is heavily obfuscated and is capable of collecting environment variables, sensitive local files, compressing the stolen data into archives, and exfiltrating it through DNS TXT queries.
It appears that the recent compromise was carried out by an external actor who gained access to the account of an inactive maintainer named ‘atiertant.’
According to researchers, the infostealer injected into the new versions of node-ipc collects various types of information from compromised systems, including:
The malware avoids scanning files larger than 4 MiB and excludes .git and node_modules directories to improve efficiency and reduce host operational noise.
An interesting operational tactic employed by the attackers is the use of DNS TXT queries instead of traditional HTTP-based command-and-control (C2) traffic for data exfiltration. They utilize a fake Azure-themed domain (sh[.]azurestaticprovider[.]net:443) as a bootstrap resolver, sending the data to ‘bt[.]node[.]js’ with query prefixes like xh, xd, and xf.
Socket reports that exfiltrating a 500 KB compressed archive could result in approximately 29,400 DNS TXT requests, which helps the malicious traffic blend in with normal DNS activity.
Prior to transmission, the malware stores the collected data in temporary compressed tar.gz archives, which are then deleted after exfiltration to minimize forensic traces.
The malware does not establish persistence or download additional payloads, indicating that the operation is primarily focused on swift credential theft and exfiltration.
Developers who may be affected by this attack should promptly remove the compromised versions, rotate any exposed secrets and credentials, and review lockfiles and npm caches for any signs of compromise.
Automated pentesting tools offer significant value, but their primary purpose is to determine if an attacker can navigate through a network. These tools are not designed to assess whether your security controls effectively block threats, your detection rules are triggered, or your cloud configurations are secure.
This comprehensive guide outlines the 6 critical areas that require validation.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
