## Backdoored node-ipc npm Packages Caught Stealing Credentials via DNS Exfiltration to Azure Infrastructure
Three malicious versions of the popular `node-ipc` npm package have been identified deploying credential-stealing malware through a supply chain compromise, according to Datadog Security Labs. Versions 9.1.6, 9.2.3, and 12.0.1 activate upon loading the CommonJS entrypoint (`node-ipc.cjs`), silently forking a detached child process that harvests sensitive credentials—including AWS keys, SSH keys, and Kubernetes configurations—and compresses exfiltrated data before transmitting it via DNS TXT queries to `sh.azurestaticprovider.net:443`.

The attack chain demonstrates careful operational tradecraft. Once activated, the malware scans for files containing sensitive data, including `.env` files and `wp-config.php` configuration files. Harvested content undergoes gzip compression followed by XOR encryption using a hardcoded key, then is encoded with a custom base64 scheme before being packetized into DNS TXT queries. This DNS tunneling technique allows the malware to bypass network monitoring focused on HTTP/HTTPS traffic, using standard DNS resolution as a covert command-and-control channel. Defenders can identify the backdoor by searching for detached processes spawned with the `__ntw=1` environment variable or by monitoring for anomalous DNS TXT query patterns under the `bt.node.js` subdomain hierarchy.

The incident underscores persistent risks in the npm package ecosystem, where trusted dependencies can be weaponized with minimal user interaction. Organizations with these specific versions in their dependency trees face immediate exposure and should conduct thorough audits for signs of data exfiltration, rotate all potentially compromised credentials, and review their npm package installation controls. The use of Azure Static Web Apps infrastructure for the C2 endpoint suggests the attackers leveraged legitimate cloud services to evade detection filters based on domain reputation.
---
- **Source**: Mastodon:mastodon.social:#cybersecurity
- **Sector**: The Lab
- **Tags**: npm, supply-chain-attack, malware, credential-theft, dns-exfiltration
- **Credibility**: unverified
- **Published**: 2026-05-14 21:18:35
- **ID**: 83188
- **URL**: https://whisperx.ai/en/intel/83188