According to SlowMist, three poisoned versions of node-ipc were uploaded to the npm registry on May 14. The attackers hijacked a dormant account of the maintainer and pushed code designed to siphon developer credentials, private keys, exchange API secrets, etc., directly from .env files.
node-ipc is a popular Node.js package that allows different programs to communicate with each other on the same machine, or sometimes over a network.
SlowMist catches up
Blockchain security company SlowMist spotted the flaw using its MistEye threat intelligence system.
Versions 9.1.6, 9.2.3 and 12.0.1
MistEye found three malicious versions, including:
- Version 9.1.6.
- Version 9.2.3.
- Version 12.0.1.
All versions above carried the same 80 KB obfuscated payload.
Node-ipc manages inter-process communication in Node.js. This basically helps Node.js programs send messages back and forth. More than 822,000 people download it every week.
Node-ipc is used throughout the crypto space. It is used in tools that developers use to create dApps, in systems that automatically test and deploy code (CI/CD), and in everyday development tools.
Each infected version contained the same hidden malicious code. As soon as a program loaded node-ipc, the code executed automatically.
StepSecurity researchers discovered how the attack happened. The original developer of node-ipc had an email address linked to the atlantis-software domain[.]net. However, the domain expired on January 10, 2025.
On May 7, 2026, the attacker purchased the same domain through Namecheap, which gave them control of the developer’s old email. From there, they simply clicked “forgot password” on npm, reset it, and went straight in with full permission to release new versions of node-ipc.
The real developer had no idea what was going on. The malicious versions remained active for approximately two hours before being removed.
Thief searches over 90 types of credentials
The built-in payload searches over 90 types of developer and cloud credentials. AWS tokens, Google Cloud and Azure secrets, SSH keys, Kubernetes configurations, GitHub CLI tokens, all on the list.
For crypto developers, the malware specifically attacks .env files. These typically hold private keys, RPC node credentials, and exchange API secrets.
To extract the stolen data, the payload uses DNS tunneling. It basically hides files in normal-looking Internet search queries. Most network security tools don’t detect this.
Security teams say any project executed npm install or if dependencies were updated automatically during this two hour window, this would have to be a compromise.
Immediate steps, according to SlowMist’s advice:
- Check the lock files for node-ipc versions 9.1.6, 9.2.3 or 12.0.1.
- Revert to the latest version that you know is safe.
- Edit any credentials that may have leaked.
Supply chain attacks against NPM have become commonplace in 2026. Crypto projects are hit harder than most because stolen connections can quickly be turned into stolen money.
