A backdoor stealer was discovered in three versions of the Node-IPC package, targeting developers to steal secrets. Versions 1.0.0, 1.0.1, and 1.0.2 contained malicious code that extracted API keys, access tokens, and environment variables. The malware operated silently, sending data to a remote server. This incident exposes the vulnerability in the software supply chain.
Technical analysis of the malicious code 🔍
The malicious code was activated upon installing the package, executing a script that collected information from the infected system. It used Node.js functions to read environment variables and configuration files, filtering data to a remote endpoint. The attackers designed the stealer to be stealthy, leaving no obvious traces in the logs. The security community recommends auditing dependencies and using static analysis tools to detect similar threats in the npm ecosystem.
The surprise gift nobody asked for in their project 🎁
Because, of course, what every developer needs is a package that, besides managing IPC processes, decides to play spy and take your tokens as a souvenir. Node-IPC now offers premium features: install it and get your credentials stolen at no extra cost. If you wanted to feel like you're in a hacker movie, you've already achieved it. The good thing is that at least the package didn't wipe the hard drive, so we can call it a moderate gift.