SecurityHorrors

Stories you never want to feel on your own skin

npm supply-chain node-ipc malware credentials

Shadow Supply: The Package That Stole Your Secrets

Andras Bacsai's avatar
Andras Bacsai Thursday, May 14, 2026
Shadow Supply: The Package That Stole Your Secrets

Source:

tldr: The popular node-ipc npm package was compromised after a maintainer account was taken over, allowing attackers to publish malicious versions containing a credential stealer. Affected versions are 9.1.6, 9.2.3, and 12.0.1.

Affected versions

  • Affected package: node-ipc on npm.
  • Malicious versions: 9.1.6, 9.2.3, 12.0.1.
  • Any version prior to the affected versions is safe.
  • Downstream projects depending on affected versions may have pulled the compromised code into builds and CI pipelines.

What to do

  • Check your lockfiles for node-ipc versions 9.1.6, 9.2.3, or 12.0.1 and remove them immediately.
  • Upgrade to a known clean version or pin to a version before the compromise.
  • Rotate credentials and tokens on any machine or CI runner that installed an affected version.
  • Audit build logs and dependency caches for signs of the credential stealer payload.

Andras Bacsai's avatar
Andras Bacsai

Founder of coollabs.io | coolify.io | jean.build | serverlesshorrors.com | securityhorrors.com | llmhorrors.com | fonts.coollabs.io | ❤️ OSS & simplicity | 2 x dad, Entrepreneur.


Follow on Twitter

Suggest changes on GitHub