惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Hugging Face - Blog
Hugging Face - Blog
V
Visual Studio Blog
小众软件
小众软件
有赞技术团队
有赞技术团队
雷峰网
雷峰网
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
AWS News Blog
AWS News Blog
C
Cisco Blogs
美团技术团队
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
人人都是产品经理
人人都是产品经理
宝玉的分享
宝玉的分享
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
W
WeLiveSecurity
D
DataBreaches.Net
博客园 - 司徒正美
Blog — PlanetScale
Blog — PlanetScale
IT之家
IT之家
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
Vercel News
Vercel News
月光博客
月光博客
T
Tailwind CSS Blog
H
Help Net Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Microsoft Security Blog
Microsoft Security Blog
V
V2EX
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
Recent Announcements
Recent Announcements

Socket

Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
Popular node-ipc npm Package Infected with Credential Stealer
Socket Resea · 2026-05-14 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Socket’s threat feed has detected malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem.

The affected versions confirmed as malicious are:

Socket’s AI scanner detected the newly published malicious versions within roughly three minutes of publication, classifying the activity as malware. Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior. The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic.

Socket’s incident response scan also noted historical malicious versions tied to the original 2022 node-ipc compromise. Versions 10.1.1 and 10.1.2 were associated with geo-targeted destructive malware that checked whether a system was located in Russia or Belarus before recursively overwriting files. Versions 11.0.0 and 11.1.0 included the peacenotwar dependency, which was previously linked to unauthorized file-writing behavior.

The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt. Socket classified all seven reviewed versions as malicious and recommends blocking them.

This is a developing story. Socket’s Threat Research team is continuing to analyze the package contents, confirm the full scope of the compromise, and extract indicators of compromise. Developers should avoid installing the affected versions and audit any recent installs of node-ipc, especially versions 9.1.6, 9.2.3, and 12.0.1.

The updated list of packages in this ongoing supply chain attack can be viewed at https://socket.dev/supply-chain-attacks/node-ipc

Background#

node-ipc is an npm package for inter-process communication in Node.js applications. The compromised package metadata routes CommonJS and ESM consumers to different entrypoints:

{
  "type": "module",
  "main": "node-ipc.cjs",
  "module": "node-ipc.js",
  "exports": {
    "import": "./node-ipc.js",
    "require": "./node-ipc.cjs"
  }
}

The malicious code is only present in node-ipc.cjs. It is appended as a single obfuscated IIFE at the end of the bundled CommonJS file. The clean ESM wrapper, node-ipc.js, imports the package implementation from local source files and does not contain the appended payload.

The package tarballs also carry a forensic artifact: every file in the reviewed tarballs is timestamped Oct 26 1985. That timestamp appears across the analyzed version artifacts and should be treated as a package-level indicator when investigating cached tarballs or registry mirrors.

Maintainer Compromise

node-ipc has twelve listed npm maintainers. One of them, atiertant, has publish rights but has been dormant on this package for years; recent releases have been published by other maintainers. This account was used to publish the three malicious releases.

Independent researcher Ian Ahl (@TekDefense, CTO at Permiso) was first to publicly identify the likely vector: takeover of a dormant maintainer account via an expired email domain:

Assuming the npm account recovery email for atiertant was indeed hosted on atlantis-software[.]net, the new domain owner was then able to trigger a standard npm password reset, receive the reset email at a mailbox under their control, and gain publish rights without ever compromising any of the maintainer's own infrastructure.

Technical Analysis#

Execution From the CommonJS Entrypoint

When require("node-ipc") resolves to node-ipc.cjs, the appended IIFE executes during module load. The payload does not use a postinstall script. It relies on runtime loading of the CommonJS bundle.

The payload exposes its runner function as __ntRun on the module exports in the normal path:

// Analyst note: simplified from the decoded payload.
runner.__ntRun = runner;

if (module && module.exports) {
  if (hashGateMatched) {
    module.exports = runner;
  } else {
    module.exports.__ntRun = runner;
  }
}

The __ntRun export is not just metadata. Any code that calls require("node-ipc").__ntRun() can trigger the runner again in that process. That creates an additional activation path through tests, build scripts, or other packages that inspect and call exported properties. Because the runner normally forks a detached child with __ntw=1, a downstream package that calls this export can cause a new collection and exfiltration attempt outside the original module-load event. The primary activation still happens automatically through setImmediate() after the CommonJS module loads.

The payload uses an environment variable named __ntw to distinguish the child execution path:

// Analyst note: simplified from the decoded payload.
if (process.env.__ntw === "1") {
  return collectAndExfiltrate();
}

const childEnv = Object.assign({}, process.env, { __ntw: "1" });
delete childEnv.NODE_OPTIONS;

const child = child_process.fork(
  path.resolve(module.filename),
  [],
  {
    cwd: process.cwd(),
    detached: true,
    stdio: "ignore",
    env: childEnv,
    execArgv: [],
    windowsHide: true
  }
);

if (child.channel) child.channel.unref();
child.unref();

If the fork succeeds, the parent process returns and the credential collection runs in the detached child. If the fork fails, or if __ntw=1 is already present, the payload runs collection in the current process.

Hash Gate Changes Export Behavior

The payload computes a special hash gate from the basename of the current module filename:

// Analyst note: simplified from the decoded payload.
const actual = sha256(path.basename(module.filename).toLowerCase()).toString("hex");
const expected = "bf9d8c0c3ed3ceaa831a13de27f1b1c7c7b7f01d2db4103bfdba4191940b0301";

const hashGateMatched = actual === expected;The reviewed artifacts confirm credential and configuration theft from developer machines and CI-like environments that load the CommonJS entrypoint

For the analyzed node-ipc.cjs file, the basename hash does not match the expected value, so the package API is augmented with __ntRun and the rest of the library remains usable. If the gate matches in another filename context, the code replaces module.exports with the runner function. The filename preimage for the expected hash was not recovered from the local samples, so this should be described as a confirmed behavior branch with an unknown target filename.

Host Reconnaissance and Environment Collection

The payload builds a host fingerprint using Node.js OS APIs:

// Analyst note: reconstructed from decoded calls.
[
  os.platform(),
  os.release(),
  os.arch(),
  os.hostname(),
  os.endianness()
].join(" ");

It also runs uname -a with a timeout and falls back to the Node.js fingerprint if that command fails. The archive always includes:

  • uname.txt, containing the command output or fallback fingerprint
  • etc/hosts, if /etc/hosts can be read
  • envs.txt, containing sorted process.env entries as KEY=value

The environment collection is not selective. Any token, cloud credential, CI secret, registry token, or database secret present in the process environment is written into envs.txt.

Credential and Configuration Harvesting

The payload chooses between separate decoded target lists for macOS and Linux/default platforms. The lists are not identical. In the analyzed payload, the macOS list contains 113 patterns and the Linux/default list contains 127 patterns. This count comes from the single identical malicious CommonJS file shared by all three reviewed package artifacts, not from a version-specific payload difference.

The collection logic supports home-directory expansion, relative paths from process.cwd(), single-segment globs, one-level dir/*/name patterns, and recursive **/name patterns from the current working directory. Recursive walking skips directories named node_modules and .git. Files larger than 4 MiB are skipped.

The targets focus on developer and infrastructure secrets, including:

  • AWS, Azure, GCP, OCI, DigitalOcean, Scaleway, Hetzner, Fly, Vercel, Railway, Alibaba Cloud, IBM Cloud, Linode, MinIO, Snowflake, Doppler, and Salesforce configuration files
  • SSH keys and SSH configuration
  • Kubernetes, Docker, Helm, Rancher, and service-account material
  • npm, Yarn, Netrc, Git, GitHub CLI, GitLab CLI, and Hub credentials
  • Terraform credentials and tfvars files
  • .env.env.local.env.production, database configuration files, shell histories, and database CLI histories
  • macOS Keychain database files
  • Firefox profile key database files on macOS
  • Linux keyrings and KWallet files
  • FileZilla, Remmina, OpenVPN, and related connection profiles
  • Microsoft Teams local storage and IndexedDB paths

Browser credential theft should be described precisely. The payload does not directly target Chrome Login Data, Chrome cookies, Chrome history, Safari history, or Safari cookies in the analyzed lists. It does target macOS Keychain databases, which can contain system and browser credentials, and it targets Firefox key*.db files on macOS, but it does not collect Firefox logins.json or cookies.sqlite in the decoded target list.

Collected files are renamed before archiving:

<host>/fixtures/f_<sha256(abs_path).slice(0,16)>_<sanitized_basename>

The archive also includes:

<host>/fixtures/_paths.txt

That file maps the harvested archive entries back to their original absolute paths, giving the threat actor context for each collected credential.

Archive Construction and Temporary File Behavior

The payload builds a POSIX ustar archive in memory, writes file headers and padded contents, then gzip-compresses the full tar buffer.

It does not keep the archive only in memory. The child writes a gzip archive to a temporary directory before exfiltration:

<os.tmpdir()>/nt-<pid>/<machineHex>.tar.gz

The payload attempts to delete this file with unlinkSync() after the exfiltration attempt finishes. If the process is interrupted, crashes, or is contained during execution, responders may find the temporary archive on disk.

DNS TXT Exfiltration Instead of HTTP

The payload does not use httphttps, or tls.connect() for exfiltration. It uses DNS TXT queries.

The decoded bootstrap resolver is:

sh[.]azurestaticprovider[.]net:443

The domain sh.azurestaticprovider.net is a deliberate lookalike of Microsoft's legitimate Azure Static Web Apps domain (azurestaticapps.net). The substitution of apps → provider and the use of the sh subdomain is designed to pass a casual inspection of firewall or proxy logs as legitimate Azure traffic.

If the bootstrap host is not already an IP address, the payload tries to resolve it using 1.1.1.1 first and 8.8.8.8 second. At the time of publication, this IP was 37.16[.]75.69. It then uses the resolved address plus port 443 as the DNS server for TXT exfiltration. If bootstrap resolution fails, it falls back to the raw bootstrap string and still proceeds to build and write the archive before the DNS exfiltration attempt fails.

The exfiltration zone is:

bt[.]node[.]js

The query labels use three record types:

xh.<machineHex>.<transferId>.<headerSig>.<chunkIndex>.<hexHeaderChunk>.bt[.]node[.]js
xd.<machineHex>.<transferId>.<bodySig>.<chunkIndex>.<hexBodyChunk>.bt[.]node[.]js
xf.<machineHex>.<transferId>.<footerSig>.0.<hexFooterJson>.bt[.]node[.]js

The transferId is generated from five random bytes and encoded as 10 hex characters for each exfiltration session.

The header JSON includes:

{
  "v": 1,
  "machineHex": "<machine-id>",
  "cloud": "none",
  "archivePath": "<temp-archive-path>",
  "gzipBytes": 0,
  "hdrChunks": 0,
  "datChunks": 0,
  "hostLabel": "<sanitized-hostname>"
}

The cloud value is hardcoded to none; no cloud metadata service probing was observed.

The footer JSON is:

{
  "done": true,
  "dataChunks": 0
}

DNS chunking is fixed:

  • Header chunks: 63 hex characters per label
  • Data chunks: 31 encoded body characters, then hex-encoded into the DNS label
  • Batch size: up to 160 DNS requests per Promise.all() window
  • DNS timeout: 8,000 ms

For a 500 KiB gzip archive, the expected data query volume is roughly 29,400 TXT queries, plus header and footer queries. That query count varies with the final compressed archive size. A burst of high-volume TXT queries matching xhxd, and xf label prefixes under bt[.]node[.]js is a strong detection opportunity.

Authentication and Encoding

The decoded authentication key is:

qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi

The body encoding chain is:

gzip archive
to base64 text
convert base64 text to bytes
XOR with SHA-256 keystream
base64 encode the XOR output
substitute characters using a key-derived alphabet permutation
split into 31-character body chunks
hex encode each chunk for DNS label transport

The dynamic run confirmed this path by reassembling intercepted xd chunks, reversing the DNS-label hex transport, reversing the substituted base64 body encoding, and reproducing the captured gzip archive byte-for-byte.

Signatures use HMAC-SHA256 and are truncated to 12 hex characters:

bodySig   = HMAC-SHA256(key + "|t", encodedBody).hex().slice(0, 12)
headerSig = HMAC-SHA256(key + "|p", headerJson).hex().slice(0, 12)
footerSig = HMAC-SHA256(key + "|q", machineHex + "|" + transferId + "|" + dataChunks).hex().slice(0, 12)

The payload awaits resolveTxt() calls, but it does not parse returned TXT records or dispatch commands. No download-and-execute stage, command loop, or response-driven C2 behavior was observed in the decoded payload.

Dynamic Validation

A controlled dynamic run forced the child path by setting __ntw=1 and instrumented filesystem, process, and DNS APIs. The run observed:

  • One gzip archive written under the temp nt-<pid> directory
  • An attempted unlinkSync() cleanup of that archive
  • One bootstrap DNS lookup for sh[.]azurestaticprovider[.]net
  • Header TXT queries using the xh prefix
  • Data TXT queries using the xd prefix
  • One footer TXT query using the xf prefix

Reassembling and decoding the intercepted xd DNS chunks reproduced the captured .tar.gz byte-for-byte, confirming that the DNS body chunks carry the gzip archive.

Impact#

The reviewed artifacts confirm credential and configuration theft from developer machines and CI-like environments that load the CommonJS entrypoint. Confirmed affected local artifacts include:

  • node-ipc 9.1.6 tarball
  • node-ipc 9.2.3 tarball
  • node-ipc 12.0.1 tarball

The malicious CommonJS file hash is identical across the reviewed unpacked package versions. CommonJS consumers using require("node-ipc") trigger the payload. ESM-only consumers using the package import export path do not load the malicious file in the reviewed package metadata, unless another dependency or direct require path loads node-ipc.cjs.

The payload does not establish persistence in the decoded sample. There is no observed cron, launchd, rc.d, service installation, or second-stage download. The operational impact is concentrated in the execution window: collection, archive creation, DNS TXT exfiltration, and attempted cleanup.

Infrastructure and Attribution#

The decoded network indicators are:

  • Bootstrap resolver: sh[.]azurestaticprovider[.]net:443
  • Exfiltration DNS zone: bt[.]node[.]js
  • DNS query prefixes: xhxdxf

The samples do not provide enough evidence to attribute the operation to a named threat actor.

Recommendations#

For Users

  • Remove compromised node-ipc versions and reinstall from a known-clean version.
  • Check package-lock, yarn.lock, pnpm-lock, build caches, and local npm cache entries for the malicious node-ipc.cjs hash.
  • Treat exposed environment variables and local developer secrets as compromised if the CommonJS package was loaded.
  • Rotate SSH keys, npm tokens, cloud provider keys, GitHub and GitLab tokens, Kubernetes credentials, Docker registry credentials, Terraform credentials, and database credentials present on affected hosts.
  • Search endpoint telemetry for temporary paths matching <tmp>/nt-<pid>/<machineHex>.tar.gz.

For Developers

  • Prefer dependency review that inspects package entrypoints, not only install scripts.
  • Audit whether your application loaded node-ipc through CommonJS, ESM, or a transitive dependency.
  • Avoid exposing long-lived secrets through process environment variables where possible.
  • Use short-lived cloud credentials and scoped tokens for development and CI workflows.

For Security Teams

  • Monitor for DNS resolver configuration or query attempts to sh[.]azurestaticprovider[.]net:443.
  • Detect DNS TXT queries with label prefixes xhxd, or xf under bt[.]node[.]js.
  • Hunt for large TXT query bursts. A 500 KiB compressed archive can produce roughly 29,400 data TXT queries.
  • Block or alert on the malicious node-ipc.cjs SHA-256 hash.
  • Preserve temporary directories matching nt-<pid> during live response, because interrupted runs may leave the gzip archive on disk.

Indicators of Compromise (IOCs)#

Malicious Packages

File Hashes

  • node-ipc.cjs SHA-256: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
  • node-ipc-9.1.6.tgz SHA-256: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
  • node-ipc-9.2.3.tgz SHA-256: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
  • node-ipc-12.0.1.tar.gz SHA-256: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981

Network Indicators

  • sh[.]azurestaticprovider[.]net
  • 37.16[.]75.69
  • bt[.]node[.]js
  • DNS TXT queries beginning with xh.
  • DNS TXT queries beginning with xd.
  • DNS TXT queries beginning with xf.

Runtime Indicators

  • Environment variable: __ntw=1
  • Exported runner property: __ntRun
  • Temporary archive path pattern: <tmp>/nt-<pid>/<machineHex>.tar.gz
  • Archive entries: uname.txtenvs.txtetc/hostsfixtures/_paths.txt

Decoded Key Material

  • Payload key: qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi