node-ipc dormant-maintainer takeover via expired email domain
On 2026-05-14 three malicious node-ipc releases (9.1.6, 9.2.3, 12.0.1) were published from a dormant maintainer account atiertant. The attacker re-registered the expired atlantis-software.net domain on 2026-05-07 and used npm's password-reset flow to seize publish rights. The payload fires on every require("node-ipc") (no lifecycle hook) and exfiltrates 90+ credential categories via DNS TXT queries. 12.0.1 was tagged latest, so any unpinned install during the ~60-second window pulled the backdoor. ~822K weekly downloads.
- Detected by
- Socket
- Ecosystems
- npm
- Packages tracked
- 1
What happened
On 2026-05-14 between 14:25 and 14:26 UTC, three malicious node-ipc releases — 9.1.6, 9.2.3, and 12.0.1 — were published from a dormant maintainer account atiertant (a.tiertant@atlantis-software.net). node-ipc averages ~822K weekly downloads and is a transitive dependency in many CLI toolchains, so the exposure surface was large despite the short publish window.
The attack vector was a textbook expired-email-domain takeover, first publicly identified by Ian Ahl (CTO at Permiso). The atlantis-software.net domain had been allowed to lapse; the attacker re-registered it through Namecheap on 2026-05-07, stood up a PrivateEmail mailbox, requested an npm password reset, captured the recovery link, and pushed three releases through the legitimate publish flow without ever touching the original maintainer's infrastructure or 2FA setup.
Unlike most npm worms, this payload is not gated by an install hook. The malicious node-ipc.cjs bundle has an ~80KB obfuscated IIFE appended to the end of the CommonJS module body; execution fires on every require("node-ipc") call at runtime. npm ci --ignore-scripts does NOT mitigate. 12.0.1 was tagged latest, so any unpinned npm install node-ipc during the window grabbed the backdoor.
- Payload harvests 90+ categories of credentials: AWS/Azure/GCP/OCI keys, SSH private keys, kubeconfig, GitHub CLI tokens,
.npmrc, git credentials,.envfiles, Terraform state, DB configs, macOS Keychain, Firefox / KWallet, Claude AI and Kiro IDE configs. - Data is gzip-tarred, XOR-encrypted, base64-encoded, then exfiltrated over DNS TXT queries (prefixes
xh/xd/xf, suffixbt.node.js) tosh.azurestaticprovider.net(37.16.75.69) on port 443 via public resolvers8.8.8.8and1.1.1.1. DNS-based exfil bypasses most HTTP egress filtering. - IOC: SHA-256 of the bad
node-ipc.cjsis96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144; processes spawning with env var__ntw=1or temp dirs namednt-<pid>.
Socket flagged the publishes as malware within ~3 minutes; npm yanked all three versions. The structural lesson is that maintainer email domain expiry is a high-severity supply-chain risk — any dependency relying on a personal domain inherits a credential-rotation event the moment the domain lapses.
Affected packages (1)
- npm
node-ipc9.1.69.2.312.0.1
Impact
- Cloud credential theft: AWS, Azure, GCP, OCI
- SSH private keys, Kubernetes kubeconfig, GitHub CLI tokens, .npmrc, git credentials
- Application secrets in .env files, Terraform state, database configs
- Desktop credential stores: macOS Keychain, Firefox, KWallet
- AI tooling: Claude AI / Kiro IDE configuration files
- DNS-based exfiltration bypasses most HTTP egress filtering
- Backdoor fires on require() with no install hook —
npm ci --ignore-scriptsdoes NOT mitigate
What to do
- 1Pin node-ipc to a known-clean release: 9.2.1 or 12.0.0 (or older). Block 9.1.6, 9.2.3, 12.0.1
- 2Purge node_modules and any cached tarballs containing the bad versions; verify SHA-256 of node-ipc.cjs is NOT 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
- 3Assume credential compromise on any host or CI runner that ran
require("node-ipc")while a malicious version (9.1.6, 9.2.3, or 12.0.1) was live on npm — the window opened at 14:25 UTC on 2026-05-14 and closed when npm removed the versions a few minutes later. Rotate AWS/GCP/Azure keys, npm/GitHub/GitLab/CircleCI tokens, SSH keys, K8s tokens, DB passwords - 4Block DNS queries to sh.azurestaticprovider.net and any 37.16.75.69 traffic; alert on detached node child processes with env var
__ntw=1ornt-<pid>temp dirs - 5Audit npm publish history under every maintainer account for unexpected releases after 2026-05-14
- 6Long-term: enforce 2FA on every maintainer of every dependency; treat any maintainer email domain expiring as a critical incident