Critical Security Breach: Malicious Backdoor Discovered in Node-IPC Package Versions
Cybersecurity experts have recently identified a significant security threat within the Node-IPC package, a widely utilized Node.js module. Three specific versions—9.1.6, 9.2.3, and 12.0.1—have been found to contain obfuscated backdoor code designed to steal sensitive developer information.
The malicious code operates by fingerprinting the host environment, reading local files, and compressing the collected data. This data is then exfiltrated to an external command-and-control (C2) server. The compromised versions were published by an account named atiertant, which is not associated with the original package author, riaevangelist. This raises concerns about the integrity of the package’s maintenance and distribution.
Notably, the malware does not rely on typical npm lifecycle hooks but instead appends an Immediately Invoked Function Expression (IIFE) to the end of the node-ipc.cjs file. This ensures the malicious code executes whenever the package is required in a project. Additionally, the malware performs a SHA-256 fingerprint check to target specific systems, indicating a highly targeted attack strategy.
The exfiltration process involves sending the stolen data to a fake Azure domain, sh.azurestaticprovider[.]net, and employs DNS-based techniques to evade detection. This includes overriding the system’s DNS resolver to use public DNS services, thereby bypassing local security controls.
This incident is not the first security issue associated with the Node-IPC package. In March 2022, the maintainer introduced destructive functionality in versions 10.1.1 and 10.1.2 as a form of protest against geopolitical events, leading to significant disruptions for users.
Developers and organizations using the Node-IPC package are strongly advised to:
– Remove the compromised versions (9.1.6, 9.2.3, and 12.0.1) and reinstall known clean versions (9.2.1 and 12.0.0).
– Rotate all credentials and secrets that may have been exposed.
– Audit npm publish activity for any packages accessible with the rotated tokens.
– Review workflow run logs for suspicious activity.
– Examine cloud logs to check for unauthorized actions performed by IAM identities during the compromised period.
– Block egress traffic to the identified C2 domain to prevent further data exfiltration.
This incident underscores the critical importance of vigilance in managing open-source dependencies and the need for robust security practices to protect against supply chain attacks.
