Supply Chain Alert: Malicious node-ipc Versions Exfiltrating Dev Secrets
Heads up, everyone. Just saw the alerts coming in from Socket and StepSecurity regarding another supply chain incident, this time affecting the node-ipc package.
According to the reports, three specific versions have been confirmed malicious and are actively targeting developer secrets:
node-ipc@9.1.6node-ipc@9.2.3node-ipc@12.0.1
The payload is described as a stealer/backdoor, likely targeting sensitive files like .npmrc, .aws/credentials, or SSH keys on the machine running the build. Since node-ipc is a fairly common dependency, the blast radius here could be significant, especially for CI/CD pipelines pulling directly from the npm registry without pinning.
I recommend checking your package-lock. or yarn.lock files immediately to see if any of your direct or transitive dependencies are resolving to these versions.
You can use a quick grep to scan your lockfiles:
grep -E "node-ipc.*(9\.1\.6|9\.2\.3|12\.0\.1)" package-lock.
If you find a match, update to a safe version immediately and audit your environment for any leaked credentials.
How is everyone handling dependency pinning in their orgs? Are you strictly locking versions, or do you allow range updates with automated CI scans?
We're seeing this hit some dev environments already. The malicious versions start a socket connection and exfiltrate data. Beyond just checking the lockfile, you should check your SBOMs against the CPEs if you have an automated pipeline. We use Syft and Grype to catch this stuff at build time before it hits production.
Good post. If you are using Kubernetes, make sure to rebuild your images from scratch rather than just redeploying. If your base image or build cache has the malicious layer, you might still be running the bad code even after updating your source code repository.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access