node-ipc Supply Chain Hit: Checking for Backdoor Exfiltration
Just saw the alerts from Socket and StepSecurity regarding the malicious commits in the node-ipc package. It looks like versions 9.1.6, 9.2.3, and 12.0.1 were sabotaged to include a stealer targeting developer secrets.
The payload appears to scan for sensitive files (like .npmrc, .bash_history, and SSH keys) and exfiltrates them. This is particularly nasty because node-ipc is a dependency in many larger projects, so you might be pulling this in transitively without knowing it.
If you are managing Node.js infrastructure, I recommend scrubbing your environment immediately. You can scan your package-lock. to see if you resolved one of the bad versions:
grep -E '(node-ipc.*9.1.6|node-ipc.*9.2.3|node-ipc.*12.0.1)' package-lock.
If that returns a match, assume your developer secrets are compromised. You should also run `npm audit fix` force to downgrade to the last safe version.
With supply chain attacks like this becoming more frequent, how is everyone handling the review process for transitive dependencies? Are you relying solely on automated lockfile audits, or do you have manual gates for minor version bumps?
We actually caught this in our CI pipeline this morning because we block egress traffic from our build runners to anything other than the internal registry and specific whitelisted CDNs. The build failed when the malicious package tried to phone home.
I highly recommend egress filtering for your CI/CD agents. It adds a bit of overhead to maintain the whitelist, but it stops these data exfiltration attempts dead in their tracks.
The issue with node-ipc is that it has a massive footprint in the ecosystem. We found it nested three levels deep in a utility library we haven't touched in months.
We are moving to require signed commits for all direct dependencies, but transitive dependencies are still a blind spot. We just enabled Socket.dev in our PR checks to analyze the behavior of dependencies before merge.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access