Remove node-ipc versions 9.1.6, 9.2.3, and 12.0.1 immediately to prevent secret theft.
- Remove node-ipc versions 9.1.6, 9.2.3, and 12.0.1 now
- Backdoor steals developer secrets via npm registry
- Security firms Socket and StepSecurity confirmed attacks
Cybersecurity researchers at Socket and StepSecurity confirmed three corrupted versions of the node-ipc npm package are actively stealing developer secrets. The malicious code was found in versions 9.1.6, 9.2.3, and 12.0.1 of node-ipc, a widely used inter-process communication library for Node.js applications. These versions were published to the npm registry between February 1 and April 22, 2022, but the tampering went unnoticed until April 2022, when Socket’s security team flagged the issue. StepSecurity later verified the findings independently. The backdoor was designed to exfiltrate sensitive files from a developer’s system, including environment variables, SSH keys, and configuration files, sending them to a remote server controlled by the attacker. So far, there’s no public evidence of widespread exploitation, but security experts warn that even a single compromised developer could expose entire organizations to supply chain attacks. The npm registry has since yanked the malicious versions, but the incident raises fresh concerns about the security of open-source software dependencies. The attack follows a similar trend of supply chain compromises, where attackers target widely used libraries to reach a broad victim base. In 2021, the infamous SolarWinds hack used a similar approach, infiltrating thousands of organizations through a single compromised software update. Unlike that attack, which required sophisticated nation-state resources, this node-ipc incident appears to have been executed by less-skilled threat actors, suggesting the barrier to entry for supply chain attacks is dropping. Developers who installed any of the three compromised versions should immediately audit their systems for signs of compromise and rotate all exposed secrets, including API keys, passwords, and SSH keys. The npm registry’s security team has published guidance on detecting and removing the malicious code, but the cleanup process could take weeks for organizations with large codebases. This isn’t the first time node-ipc has been in the spotlight. In early 2022, the package’s maintainer, RIAEvangelist, faced backlash for including a controversial feature in node-ipc that allowed the package to act as a remote kill switch for systems running it. That feature was later removed after public outcry, but the recent backdoor incident has reignited debates about the trustworthiness of open-source maintainers and the reliability of npm packages. The node-ipc incident also highlights the risks of transitive dependencies. Many projects rely on node-ipc indirectly through other packages, meaning developers might be using the compromised versions without realizing it. Tools like Socket and Dependabot can help detect vulnerable dependencies, but they’re not foolproof. The npm registry has yet to comment publicly on whether it will implement stricter vetting for package updates, but the incident is likely to accelerate calls for better security practices in the open-source ecosystem. For now, developers should treat this as a reminder to audit their dependency trees regularly and avoid running untrusted code. The npm registry’s immediate response—yanking the malicious versions—is a step in the right direction, but the broader issue of supply chain security remains unresolved.
What You Need to Know
- Source: The Hacker News
- Published: May 14, 2026 at 17:22 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #cybersecurity · #stealer-backdoor-found · #node
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 14, 2026
🇧🇷 Resumo em Português
Um golpe silencioso masletalmente eficiente atingiu o coração da programação brasileira: hackers esconderam uma porta dos fundos em três versões populares de uma biblioteca JavaScript usada por milhares de desenvolvedores no país. A descoberta de uma backdoor maliciosa nos pacotes node-ipc (versões 9.1.6, 9.2.3 e 12.0.1) expôs como invasores podem roubar segredos de profissionais e empresas apenas explorando vulnerabilidades em ferramentas de código aberto amplamente disseminadas no ecossistema de desenvolvimento nacional.
O incidente coloca em xeque a confiança em repositórios como o npm, onde milhares de desenvolvedores brasileiros buscam soluções rápidas para seus projetos — desde startups até grandes corporações. A backdoor, que se ativava em circunstâncias específicas, permitia o vazamento de dados sensíveis, como chaves de API ou credenciais, diretamente para servidores controlados pelos atacantes. Especialistas alertam que o Brasil, um dos maiores mercados de TI da América Latina, é especialmente vulnerável a esse tipo de ataque, dada a dependência de ferramentas estrangeiras e a falta de fiscalização rigorosa sobre pacotes de terceiros.
A situação exige ação imediata: desenvolvedores brasileiros devem verificar suas dependências e migrar para versões seguras do node-ipc, enquanto órgãos reguladores e empresas precisam reforçar suas políticas de segurança para evitar que novos pacotes infectados se espalhem.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion