Popular 'node-ipc' NPM Package Compromised to Steal Cloud Credentials, SSH Keys

A popular software package used by developers and downloaded over 800,000 times per week was compromised on May 14, 2026, with malicious code designed to steal a vast array of sensitive credentials, including SSH keys, cloud provider access tokens, and cryptocurrency wallets. According to a report from software supply chain security firm SafeDep, three versions of the 'node-ipc' package on the npm registry were altered by an attacker who gained access to a maintainer's account. The incident represents a significant supply chain attack, where malware is injected into a legitimate software component that is then unknowingly distributed to countless downstream projects. The malicious code, an 80-kilobyte obfuscated payload, was appended to a core file in versions 9.1.6, 9.2.3, and 12.0.1 of node-ipc. Once installed on a developer's machine, the payload activates in the background, scanning for and collecting sensitive files. The malware targets an extensive list of over 100 specific file paths on both Linux and macOS systems. According to analysis from SafeDep and Ox Research, the stolen data includes credentials for major cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). It also seeks out configuration files for developer tools like Kubernetes, Docker, and Terraform, as well as tokens for code repositories like GitHub and GitLab. The malware exfiltrates the collected data by bundling it into a compressed archive and sending it to an attacker-controlled server using DNS tunneling, a stealthy technique designed to bypass firewalls. To maximize its effectiveness while avoiding detection, the malware is programmed to skip files larger than four megabytes and to avoid scanning common developer directories such as '.git' and 'node_modules', which often contain thousands of files and could slow down the process or trigger security alerts. This level of sophistication indicates a well-planned operation aimed at high-value targets within the software development community. This attack is part of a broader, concerning trend of threat actors targeting open-source software repositories. In March 2026, security researchers at Panther detailed a separate campaign, dubbed the "Ghost Campaign," which used at least seven malicious npm packages to steal credentials. According to The Hacker News, these packages, including 'react-state-optimizer' and 'ai-fast-auto-trader,' employed a different tactic. They presented developers with a fake "setup wizard" that tricked them into entering their administrative password to perform supposed system optimizations. Once the password was captured, the Ghost Campaign malware would harvest browser credentials, cryptocurrency wallets, SSH keys, and developer tool tokens. This campaign featured a complex, dual-revenue model. Stolen credentials were sent to specific Telegram bots for immediate exploitation, while a secondary mechanism used a Binance Smart Chain contract to store and update affiliate URLs for redirect-based revenue generation. Another recent example occurred in late 2025, when researchers at Zscaler discovered three npm packages delivering a new Remote Access Trojan (RAT) named NodeCordRAT. The packages, 'bitcoin-main-lib', 'bitcoin-lib-js', and 'bip40', used Discord servers for command-and-control communication. This malware specifically targeted credentials stored in Google Chrome, sensitive data in '.env' files, and private keys from the popular MetaMask cryptocurrency wallet. The business implications of such attacks are severe. Stolen cloud credentials can grant attackers full access to a company's server infrastructure, leading to catastrophic data breaches, service disruptions, or massive financial losses from unauthorized use of resources for activities like cryptocurrency mining. The theft of proprietary source code, product roadmaps, and engineering documents can provide competitors with an invaluable strategic advantage. In our experience, the operational risk from software supply chains is no longer a theoretical problem for large enterprises; it is a clear and present danger for small and mid-sized businesses. Many companies rely heavily on open-source software to accelerate development, but they often lack the internal security protocols to properly vet every third-party dependency. A single compromised package, downloaded by one unsuspecting developer, can give attackers the keys to the entire kingdom—cloud infrastructure, financial accounts, and critical intellectual property. This creates a critical blind spot in a company's defenses. We help clients build frameworks to mitigate these exact threats. For businesses looking to secure their development pipelines and protect digital assets, our financial risk management services provide the necessary oversight and control. To assess your company's exposure, contact C&S Finance Group LLC at csfinancegroup.com. As threat actors continue to target the software supply chain, security experts anticipate a greater emphasis on automated dependency scanning and the adoption of stricter internal governance policies for developers. The responsibility for securing applications is increasingly shifting to the organizations that build and deploy them, requiring a more proactive and vigilant approach to managing third-party code.