Three malicious versions of the npm package node-ipc (9.1.6, 9.2.3, and 12.0.1) were published on May 14, 2026, containing an obfuscated credential-stealing payload. The attack likely involved abuse of a legitimate npm maintainer account, possibly through re-registration of an expired email domain to trigger account recovery. The malicious code was injected into the CommonJS bundle (node-ipc.cjs) and executed at runtime via require(), not at install time. It targeted over 90 credential categories including cloud credentials, SSH keys, Kubernetes tokens, GitHub CLI config, and CI/CD secrets, exfiltrating data to attacker-controlled infrastructure. Organizations that installed affected versions should rotate all exposed secrets, clear package caches, rebuild from clean dependency trees, and review audit logs for follow-on abuse.
Table of contents
Component involvedKnown affected versionsTimelineHow the compromise appears to have happenedAttack vector and malicious behaviorWho may be impactedDetection guidanceMitigation and responseWhy this incident mattersCurrent assessmentReferencesCheck out the Snyk Vulnerability DBSort: