Node-ipc attack steals crypto developer credentials via npm

Node-ipc Attack: Crypto Developer Credentials Stolen via npm

Three poisoned versions of node-ipc went live on the npm registry on May 14, according to the blockchain security firm SlowMist. Attackers hijacked a dormant maintainer account and pushed code designed to siphon developer credentials, private keys, exchange API secrets, and more straight from .env files.

Node-ipc is a popular Node.js package that enables inter-process communication between different programs on the same machine or, sometimes, across a network. It’s widely used in the crypto space, including in tools for building dApps, continuous integration and deployment systems, and everyday developer utilities. More than 822,000 people download the package each week.

Malicious Versions Identified

SlowMist’s threat intelligence system MistEye identified three malicious versions—9.1.6, 9.2.3, and 12.0.1. Each carried the same obfuscated 80 KB payload. The infected versions had hidden malicious code bolted onto them that ran automatically the moment any program loaded node-ipc.

How the Attack Unfolded

Researchers at StepSecurity later figured out how the attack unfolded. The original developer of node-ipc had an email address tied to the domain atlantis-software.net. However, that domain expired on January 10, 2025. On May 7, 2026, the attacker purchased the same domain through Namecheap, gaining control of the developer’s old email address. They simply clicked “forgot password” on npm, reset it, and walked in with full permission to publish new versions of node-ipc. The real developer had no idea this was happening. The malicious versions stayed live for roughly two hours before being removed.

What the Payload Does

The embedded payload hunts for over 90 types of developer and cloud credentials. AWS tokens, Google Cloud and Azure secrets, SSH keys, Kubernetes configs, and GitHub CLI tokens are all on the list. For crypto developers specifically, the malware raids .env files, which often hold private keys, RPC node credentials, and exchange API secrets.

To exfiltrate the stolen data, the payload uses DNS tunneling. This technique hides the stolen files inside normal-looking internet lookup requests, which most network security tools don’t catch.

Immediate Steps and Context

Security teams are advising that any project which ran npm install or had auto-updated dependencies during that two-hour window should assume compromise. Immediate steps, per guidance from SlowMist, include rotating all credentials, API keys, and secrets, and auditing dependencies. Supply chain attacks on npm have become a regular occurrence in 2026. Crypto projects get hit harder than most because stolen logins can often be turned into stolen cash swiftly.

The post Node-ipc attack steals crypto developer credentials via npm appeared first on TheCryptoUpdates.