Which versions of node-ipc are malicious?

The following npm versions of node-ipc are flagged malicious: 9.1.6, 9.2.3, 12.0.1. Treat any of these as compromised.

How do I remediate node-ipc if I installed it?

node-ipc is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed node-ipc — how do I know if it already compromised me?

If node-ipc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is node-ipc part of a known attack campaign?

Yes — node-ipc is associated with the IN-MAL-2026-002683, IN-MAL-2026-002684, IN-MAL-2026-002682, GHSA-pvh2-rg5g-69v7 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find node-ipc across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for node-ipc (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging node-ipc across your stack and pipelines.

Malicious package

node-ipcnpm

Malicious code in node-ipc (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3744

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-ipc

What this malware does

Three versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published to npm on May 14, 2026 by a compromised maintainer account (atiertant). Each version contains an identical 80KB obfuscated payload appended to node-ipc.cjs that steals over 100 categories of sensitive files (SSH keys, cloud provider credentials, .env files, Kubernetes configs, AI tool configurations) and exfiltrates them as gzipped tar archives via DNS tunneling.

node-ipc version 9.2.3 contains a heavily obfuscated module (node-ipc.cjs with hex-mangled identifiers such as _0xaed59b, _0x282d65, _0x4524e4, _0x41d0c3) introduced by the maintainer as protestware. The obfuscated code, loaded on module import, performs geolocation lookups against installer-side IP data and, for hosts resolving to certain regions, overwrites and/or creates files on the installer's filesystem (historically writing 'peace' messages to the user's Desktop and, in related releases from the same maintainer, recursively overwriting files with a heart character). The payload fires whenever this package is loaded as a dependency — including transitively via popular downstream packages — without any consent from the installer. This is destructive, geolocation-gated sabotage executed on the installer's machine at module load time.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

3 flagged

9.1.69.2.312.0.1

Indicators of compromise (SHA-256)

0b2843b0518acc53936addb07ad25be35502f9d7c9341d72574f7ef9cb511594

510f4689fde6aaa371d3326fe3cb2f9cf33c0821c38d0166359e870c5c836b8d

94a6761b8d73df3b9150f507dc28646ee8e68736d17ebf010d9bccc9d54ead13

d88176a3441259cee605e58c4967e970a8c7bec952fcaea81f0c2ba4f23c5e5e

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for node-ipc (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging node-ipc across your stack and pipelines.
If you installed it — respond
node-ipc is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If node-ipc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks node-ipc before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. node-ipc on npm has been identified as a malicious package (versions 9.1.6, 9.2.3, 12.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002683IN-MAL-2026-002684IN-MAL-2026-002682GHSA-pvh2-rg5g-69v7

References

Credits

Amazon Inspector · finder
SafeDep · finder
nullcharb · finder

Detect & block this

O3 blocks node-ipc-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring