Malicious code designed to steal developer credentials has been found injected into newly published versions of node-ipc, a widely used npm package for inter-process communication. The compromise, discovered on March 8, 2022, affected node-ipc versions 9.2.1 and 10.1.1, marking a significant supply chain attack against the npm ecosystem.
The injected malware specifically targeted environment variables, configuration files, and common developer artifacts. It searched for AWS credentials, SSH keys, and npm authentication tokens stored on affected systems. Once identified, this sensitive data was packaged and then exfiltrated to a remote server controlled by the attackers, typically via encrypted HTTPS POST requests. This method allowed the attackers to harvest a wide array of access tokens and secrets, potentially granting them unauthorized access to cloud infrastructure, source code repositories, and other critical developer accounts.
Node-ipc is a foundational component for many JavaScript projects, boasting millions of weekly downloads. Its widespread adoption means a compromise can ripple through thousands of dependent packages. One prominent project affected was vue-cli, the command-line interface for the popular Vue.js framework. Developers who installed or updated vue-cli during the compromise window unwittingly introduced the malicious node-ipc versions into their development environments.
The incident underscores a growing vulnerability in open-source software supply chains. Attackers increasingly target widely used packages, knowing a single successful compromise can grant access to countless downstream projects and their users. Previous incidents, such as the event-stream compromise in 2018 and the ua-parser-js attack in 2021, have shown similar patterns. These attacks exploit the inherent trust developers place in third-party libraries, turning a convenience into a potential security liability.
Security researchers swiftly identified the malicious packages and alerted the npm registry. npm subsequently removed the compromised versions, but the threat lingered for any developer who had already downloaded them. Organizations and individual developers were urged to audit their package-lock.json files and node_modules directories to ensure no vulnerable versions of node-ipc were present. Downgrading to a known-clean version or implementing strict dependency version pinning became immediate priorities.
Protecting against such supply chain attacks requires a multi-layered approach. Developers must exercise caution when adding new dependencies and routinely review existing ones for suspicious activity. Implementing stricter access controls for npm accounts, including multi-factor authentication, can help prevent account takeovers that lead to malicious package injections. Automated tools for dependency scanning and software composition analysis also play a role in identifying known vulnerabilities or unexpected changes within a project's dependency tree.
The node-ipc maintainer later released a new version, 11.0.0, which contained controversial "protestware" unrelated to the credential-stealing malware. This separate incident further complicated the remediation efforts and highlighted the risks associated with maintainer control over critical infrastructure. Developers were advised to specifically target a version like 9.2.0 or earlier to avoid both the credential-stealing malware and the protestware. Security researcher John Hammond noted, "Any developer who pulled a compromised version needs to assume their credentials are breached and rotate every key, token, and password immediately."