Back to Intelligence

Supply Chain Attack: Malicious Node-IPC Versions (v9.1.6, v9.2.3, v12.0.1) — Detection and Remediation

SA
Security Arsenal Team
May 14, 2026
5 min read

A critical supply chain compromise has been identified within the widely used node-ipc npm package. Security researchers at Socket and StepSecurity have confirmed that versions 9.1.6, 9.2.3, and 12.0.1 contain a "stealer" mechanism designed to exfiltrate developer secrets. This is not a theoretical vulnerability; it is active malicious activity targeting developer environments and CI/CD pipelines. Given the prevalence of node-ipc in the Node.js ecosystem, the potential blast radius includes exposed AWS credentials, private repository tokens, and SSH keys. Defenders must immediately identify and eradicate these versions from all environments.

Technical Analysis

  • Affected Product: node-ipc (Inter-Process Communication module for Node.js)
  • Affected Versions: 9.1.6, 9.2.3, 12.0.1
  • Platform: Cross-platform (Windows, Linux, macOS) running Node.js
  • CVE Identifier: Pending assignment (Check NVD for updates)

Mechanism of Attack: The malicious versions of node-ipc incorporate a path-traversal and data-exfiltration mechanism often disguised within package maintenance or protestware logic. In this specific instance, the code attempts to access sensitive files on the developer's machine or build server. The attack chain typically executes automatically upon package installation (via npm install) or during runtime, utilizing the privileges of the user or process invoking the node script.

The threat actor leverages the package's legitimate functionality to mask illegitimate file system access. The malware targets configuration files often containing secrets (e.g., .npmrc, .bashrc, .aws/credentials, SSH keys). Once accessed, this data is transmitted to a remote listener, effectively backdooring the development environment.

Exploitation Status: Confirmed active exploitation. Researchers have verified the presence of the stealer code in the wild. Organizations using these specific versions should assume compromise and initiate credential rotation procedures immediately.

Detection & Response

SIGMA Rules

YAML
---
title: Potential Malicious Node-IPC Package Installation
id: 8a1f2c33-4d5e-6f7a-8b9c-0d1e2f3a4b5c
status: experimental
description: Detects installation of known malicious node-ipc versions (9.1.6, 9.2.3, 12.0.1) via npm CLI.
references:
  - https://socket.dev/blog/detecting-and-blocking-the-peacenotwar-protestware-incident
  - https://stepsecurity.io
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\npm.exe'
      - '\npm.cmd'
    CommandLine|contains:
      - 'node-ipc@9.1.6'
      - 'node-ipc@9.2.3'
      - 'node-ipc@12.0.1'
  condition: selection
falsepositives:
  - Legitimate testing of specific package versions by developers
level: critical
---
title: Node.js Process Accessing Sensitive Credential Files
id: 9b2c3d44-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Node.js processes accessing files typically associated with developer secrets (AWS, SSH, NPM), indicative of the node-ipc stealer behavior.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
    TargetFilename|contains:
      - '\.aws\credentials'
      - '\.ssh\id_rsa'
      - '\.npmrc'
      - '\.bashrc'
  condition: selection
falsepositives:
  - Legitimate deployment tools or credential managers
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for npm installations involving the specific malicious node-ipc versions
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName in ("npm.exe", "node.exe") or FileName =~ "npm"
| where ProcessCommandLine has "node-ipc@9.1.6" 
   or ProcessCommandLine has "node-ipc@9.2.3" 
   or ProcessCommandLine has "node-ipc@12.0.1"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend Tactics = "Supply Chain"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for presence of malicious node-ipc versions in node_modules directories
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/node_modules/node-ipc/package.")
WHERE -- Read the package. to check version (parsing logic simulated via string matching)
      read_file(filename=FullPath) =~ '9.1.6' 
      OR read_file(filename=FullPath) =~ '9.2.3' 
      OR read_file(filename=FullPath) =~ '12.0.1'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash

# Remediation Script: Node-IPC Malicious Version Removal
# Target Versions: 9.1.6, 9.2.3, 12.0.1

MALICIOUS_VERSIONS=("9.1.6" "9.2.3" "12.0.1")
PACKAGE_NAME="node-ipc"
FOUND_MALICIOUS=0

echo "[+] Scanning for malicious $PACKAGE_NAME versions..."

# Check global packages
for version in "${MALICIOUS_VERSIONS[@]}"; do
  if npm list -g --depth=0 | grep -q "$PACKAGE_NAME@$version"; then
    echo "[!] REMOVING Global: $PACKAGE_NAME@$version"
    npm uninstall -g "$PACKAGE_NAME@$version"
    FOUND_MALICIOUS=1
  fi
done

# Check local projects (scanning current directory and subdirectories)
# Find all package-lock. files to verify installed versions
find . -name "package-lock." -type f | while read -r lockfile; do
  dir=$(dirname "$lockfile")
  echo "[+] Checking $dir"
  
  for version in "${MALICIOUS_VERSIONS[@]}"; do
    if grep -q ""node-ipc.*$version"" "$lockfile"; then
      echo "[!] MALICIOUS VERSION FOUND in $dir"
      echo "[!] Removing $PACKAGE_NAME from $dir"
      (cd "$dir" && npm uninstall "$PACKAGE_NAME")
      FOUND_MALICIOUS=1
    fi
  done
done

if [ "$FOUND_MALICIOUS" -eq 0 ]; then
  echo "[+] No malicious versions found in scanned locations."
else
  echo "[!] CRITICAL: Malicious versions were found and removed."
  echo "[!] ACTION REQUIRED: Rotate all API keys, tokens, and credentials used in this environment immediately."
fi

Remediation

  1. Immediate Version Upgrade: Inspect package. and lock files (package-lock. or yarn.lock) for node-ipc. If version 9.1.6, 9.2.3, or 12.0.1 is present, update immediately to the latest safe version (e.g., >= 11.0.0 excluding 12.0.1, or pin to a known safe commit).

  2. Integrity Verification: Run npm audit to identify the vulnerability and utilize the --force flag if necessary to force a clean re-install of the dependencies.

  3. Credential Rotation: Because the malware acts as a stealer, assume compromise. Rotate all credentials that may have been resident in the environment during the time the malicious package was installed:

    • AWS / Azure / GCP Access Keys
    • GitHub / GitLab Personal Access Tokens (PATs)
    • SSH Private Keys
    • Database connection strings

  4. Supply Chain Hardening:

    • Implement package-lock. commits in version control to prevent un-audited installs.
    • Enforce the use of npm ci (clean install) in production build pipelines rather than npm install.
    • Enable dependency review tools (e.g., GitHub Dependabot, Socket, Snyk) to block malicious packages before installation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionnode-ipcsupply-chainnpm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action