Critical Malware Alert: Three Versions of Popular Node-IPC Package Inject Stealer Backdoor

Cybersecurity researchers have issued an urgent warning after discovering that three newly published versions of the widely used Node-IPC npm package contain malicious code designed to steal developer secrets. The compromised versions — node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 — have been confirmed as containing a hidden stealer backdoor, according to security firms Socket and StepSecurity.

"This is a supply chain attack targeting the development community," said a spokesperson from Socket. "Early analysis indicates that the malware exfiltrates sensitive data such as API keys, credentials, and other configuration files from infected developer environments." The backdoor is capable of silently collecting private information and transmitting it to remote servers controlled by the attackers.

Immediate Action Required

Developers who have installed any of the three malicious versions are urged to immediately rotate all exposed secrets and revoke access tokens. The npm package, used for inter-process communication, has been downloaded millions of times, making this a high-impact incident.

StepSecurity noted that the malicious versions were published between late March and early April 2025. "We recommend rolling back to a clean version, such as 9.1.5 or earlier, and conducting a thorough audit of any projects that may have incorporated the backdoor," advised a StepSecurity researcher.

Background: Node-IPC and the Supply Chain Threat

Node-IPC is a popular npm library that provides a straightforward API for inter-process communication in Node.js applications. Its widespread use in both open-source and commercial projects makes it an attractive target for supply chain attacks.

Supply chain attacks occur when malicious code is injected into legitimate software components, allowing attackers to compromise downstream users. In this case, the backdoor is designed to remain hidden while exfiltrating developer secrets — credentials, API tokens, and encryption keys — that could be used to breach internal systems or steal intellectual property.

Socket and StepSecurity first flagged the suspicious activity on April 5, 2025, after automated scanning detected anomalous network calls and data exfiltration routines in the newly published versions. The npm registry has been notified, but the malicious packages remain available for download as of press time.

What This Means for Developers and Organizations

This incident underscores the critical need for supply chain security best practices. Developers should implement automated scanning for known malicious packages and consider using tools that detect behavioral anomalies, such as unexpected outbound network connections.

Organizations should treat any developer workstation that ran one of the affected versions as potentially compromised. "It's not just about the code you wrote; it's about the secrets the developer had access to," explained a cybersecurity analyst familiar with the investigation. "This backdoor could give attackers a foothold into internal CI/CD pipelines, cloud accounts, and source code repositories."

As a preventive measure, development teams are encouraged to:

• Audit package-lock.json and yarn.lock files for the malicious versions.
• Rotate all credentials and API keys stored on affected systems.
• Enable two-factor authentication on critical accounts.
• Monitor for any unusual activity associated with the exfiltrated services.

The full list of known command-and-control endpoints and indicators of compromise (IoCs) has been published by Socket and StepSecurity. Developers can cross-reference their logs against these IoCs to determine if data has already been leaked.

This is a developing story. More details are expected as researchers continue to analyze the malware's payload and attack vector. In the meantime, the message from security experts is clear: assume a breach and act decisively.