Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Malicious versions of the widely-used npm package node-ipc contain a stealer backdoor designed to exfiltrate developer credentials and secrets, researchers at Socket and StepSecurity confirmed. Three specific versions—9.1.6, 9.2.3, and 12.0.1—contain the malicious code.

Node-ipc is a foundational Node.js library that enables inter-process communication and is depended upon by thousands of projects across the JavaScript ecosystem. The backdoor functions as both a stealer and a backdoor, targeting sensitive data developers store locally. This includes API keys, authentication tokens, private repository credentials, and environment configuration files that developers commonly maintain on their machines.

The threat compounds because node-ipc occupies a critical position in many dependency chains. Projects that updated to the affected versions unknowingly pulled the malicious code into their build environments and production systems. The backdoor operates with the privileges of the process running the application, granting attackers access to secrets accessible within that context.

Organizations running applications dependent on node-ipc face immediate risk. Developers whose machines executed the compromised versions face credential compromise. Attackers gaining access to stored secrets can pivot to internal systems, cloud environments, and other infrastructure the stolen credentials protect.

Socket and StepSecurity recommend developers immediately audit their dependency chains for the three affected versions. Organizations should rotate any credentials potentially exposed on machines that ran these versions. Node-ipc maintainers have been notified and should publish patched releases shortly.

The incident underscores the supply chain attack surface inherent in JavaScript package management. A single compromised package can distribute malware across thousands of downstream projects simultaneously. Automated dependency scanning tools that flag suspicious package behavior provide defense, though they require proactive integration into development workflows.

Developers should verify current node-ipc versions in production systems and development environments immediately.