Forensic Summary
Three versions of the widely-used node-ipc npm package were found to contain obfuscated stealer/backdoor payloads published by an unauthorised maintainer account. The malware harvests 90 categories of developer secrets — including Claude AI and Kiro IDE configurations, AWS, Azure, and GCP credentials — and exfiltrates them via HTTPS and DNS tunnelling to an attacker-controlled domain. The compromise is notable for bypassing npm lifecycle hooks entirely and, in one version, targeting a specific developer via pre-computed SHA-256 fingerprinting.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/malicious-node-ipc-versions-target-cloud-ai-tool-credentials-via-supply-chain/
Top comments (0)