<div id="readability-page-1">Three poisoned versions of node-ipc went live on the npm registry on May 14, according to SlowMist. Attackers hijacked a dormant maintainer account and pushed code designed to siphon developer credentials, private keys, exchange API secrets, the works, straight out of .env files.node-ipc is a popular Node.js package that lets different programs talk to each other on the same machine, or sometimes across a network.<h3>SlowMist catches the breach</h3>Blockchain security firm, SlowMist, spotted the breach through their MistEye threat intel system.Versions 9.1.6, 9.2.3, and 12.0.1MistEye found three malicious versions including:<ul><li>Version 9.1.6.</li><li>Version 9.2.3.</li><li>Version 12.0.1.</li></ul>All of the above verions carried the same obfuscated 80 KB payload.Node-ipc handles inter-process communication in Node.js. It basically helps Node.js programs send messages back and forth. Over 822,000 people download it each week.Node-ipc is used all over the crypto space. It’s used in the tools developers use to build dApps, in the systems that automatically test and deploy code (CI/CD), and in everyday developer tools.Each infected version had the same hidden malicious code bolted onto it. The moment any program loaded node-ipc, the code ran automatically.<figure id="attachment_278809"><img src="https://imageproxy.pbkrs.com/https://www.cryptopolitan.com/wp-content/uploads/2026/05/HIVBSqObwAAaPBg.jpeg?x-oss-process=image/auto-orient,1/interlace,1/resize,w_1440,h_1440/quality,q_95/format,jpg" width="1049" height="381" original-src="https://imageproxy.pbkrs.com/https://www.cryptopolitan.com/wp-content/uploads/2026/05/HIVBSqObwAAaPBg.jpeg"/><figcaption id="caption-attachment-278809">Screenshot from MistyEye showing malicious node-ipc packages. Source: SlowMist via X.</figcaption></figure>Researchers at StepSecurity figured out how the attack happened. The original developer of node-ipc had an email address tied to the domain atlantis-software[.] net. However, the domain expired on January 10, 2025.On May 7, 2026, the attacker bought the same domain through Namecheap, which gave them control of the developer’s old email. From there, they just hit “forgot password” on npm, reset it, and walked right in with full permission to publish new versions of node-ipc.The real developer had no clue any of this was happening. The malicious versions stayed live for about two hours before removal.<h3>The stealer looks for 90+ credential types</h3>The embedded payload hunts for over 90 types of developer and cloud credentials. AWS tokens, Google Cloud and Azure secrets, SSH keys, Kubernetes configs, GitHub CLI tokens, all on the list.For crypto devs, the malware specifically raids .env files. Those usually hold private keys, RPC node credentials, and exchange API secrets.To sneak the stolen data out, the payload uses DNS tunneling. It basically hides the files inside normal-looking internet lookup requests. Most network security tools don’t catch that.Security teams are saying any project that ran <code>npm install</code> or had auto-updated dependencies during that two hour window should assume compromise.Immediate steps, per guidance from SlowMist:<ul><li>Check lock files for node-ipc versions 9.1.6, 9.2.3, or 12.0.1.</li><li>Roll back to the last version you know is safe.</li><li>Change every credential that might have leaked.</li></ul>Supply chain attacks on npm have become a regular thing in 2026. Crypto projects get hit harder than most because stolen logins can be turned into stolen money fast.The smartest crypto minds already read our newsletter. Want in? Join them.</div>

RIOT

COIN

A supply chain attack targeted the popular Node.js package node-ipc, with attackers hijacking a dormant npm maintainer account to publish three malicious versions (9.1.6, 9.2.3, 12.0.1) that steal sensitive developer credentials and crypto keys. The breach was detected by SlowMist, and the malicious code was active for about two hours before removal. Developers are advised to check for these versions and change any potentially compromised credentials.

- Three malicious versions of the node-ipc package were published on the npm registry on May 14, following an account hijack by attackers who exploited a dormant maintainer's credentials.  
- The compromised versions contained a payload that targeted over 90 types of developer credentials and used DNS tunneling to exfiltrate data unnoticed.  
- SlowMist and StepSecurity recommend that any projects using the affected versions check their lock files and change potentially compromised credentials to mitigate the attack's impact.

Node-ipc supply chain attack targets crypto devs