Three poisoned versions of Node-IPC were released in the npm registry on May 14, according to SlowMist. Attackers hijacked a dormant admin account and pushed code designed to exfiltrate developer credentials, private keys, and exchange API and business secrets directly from .env files.
Node-IPC is a popular Node.js package that allows different programs to talk to each other on the same machine, or sometimes over a network.
SlowMist catches the breakout
Blockchain security company, SlowMist, discovered the hack through its MistEye threat intelligence system.
Versions 9.1.6, 9.2.3, and 12.0.1
MistEye found three malicious versions including:
- Version 9.1.6.
- Version 9.2.3.
- Version 12.0.1.
All the above versions carry the same obfuscated payload of 80KB.
Node-ipc handles inter-process communication in Node.js. It basically helps Node.js programs send messages back and forth. More than 822,000 people download it every week.
Node-ipc is used throughout the crypto space. It is used in the tools that developers use to build Decentralized applicationsin systems that automatically test and deploy code (CI/CD), and in everyday developer tools.
Each infected version had the same hidden malicious code installed on it. The moment any program loads Node-IPC, the code is automatically run.
Researchers at StepSecurity discovered how the attack occurred. The original developer of node-ipc had an email address associated with the domain atlantis-software(.)net. However, the domain expired on January 10, 2025.
On May 7, 2026, the attacker purchased the same domain through Namecheap, giving them control of the developer’s old email. From there, they just hit “forgot password” in npm, reset it, and then got full permission to deploy new versions of Node-IPC.
The real developer had no idea any of this was happening. The malicious versions remained present for approximately two hours before being removed.
The thief looks for more than 90 types of credentials
The built-in payload searches for more than 90 types of developer and cloud credentials. AWS tokens, Google Cloud and Azure secrets, SSH keys, Kubernetes configurations, GitHub CLI tokens, it’s all in the list.
to Crypto developersthe malware specifically raids .env files. These typically hold private keys, RPC node credentials, and API secrets.
To exfiltrate stolen data, the payload uses DNS tunneling. It basically hides files inside ordinary-looking Internet search queries. Most network security tools don’t detect this.
Security teams tell which project they are running npm install Or you had dependencies that were automatically updated during that two-hour window, you should assume compromise.
Immediate steps, as directed by SlowMist:
- Check the lock files for Node-IPC versions 9.1.6, 9.2.3, or 12.0.1.
- Downgrade to the latest version that you know is safe.
- Change all credentials that may have leaked.
Supply chain attacks on npm are becoming commonplace in 2026. Cryptocurrency projects take a harder hit than most because stolen logins can quickly turn into stolen funds.
