Cybersecurity researchers have identified malicious code in three versions of the popular npm package node-ipc (versions 9.1.6, 9.2.3, and 12.0.1), which contains stealer backdoor functionality targeting developer credentials and secrets. The compromised package poses significant supply chain security risks to enterprise development environments that rely on Node.js dependencies.
Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 "Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1
Originally published at thehackernews.com
60-minute technical evaluation, no obligation. We'll map the ideas in this article to your environment.
