GoKawiilHackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.
The node-ipc package is a Node.js module that enables various processes to communicate through all forms of sockets, including Unix, Windows, UDP, TLS, and TCP.
Despite the maintainer publishing in March 2022 weaponized versions that targeted Russia and Belarus-based systems with a data-overwriting module, in protest to the Russian invasion of Ukraine, the package still has more than 690,000 weekly downloads on npm.
The recent supply-chain attack was detected by multiple application security companies, including Socket, Ox Security, and Upwind, who confirmed the following three versions as malicious:
The malicious code hides inside the CommonJS entrypoint (node-ipc.cjs) and executes automatically whenever applications are loaded.
The malware is heavily obfuscated and fingerprints infected systems, collects environment variables and sensitive local files, compresses the stolen data into archives, and exfiltrates it through DNS TXT queries.
The latest compromise appears to be the work of an external actor who compromised the account of an inactive maintainer named 'atiertant.'
... continue reading