MAL-2026-3744
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-ipc/MAL-2026-3744.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3744
- Published
- 2026-05-14T16:53:17Z
- Modified
- 2026-05-15T07:49:15.139718Z
- Summary
- Malicious code in node-ipc (npm)
- Details
-
Three versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published to npm on May 14, 2026 by a compromised maintainer account (atiertant). Each version contains an identical 80KB obfuscated payload appended to node-ipc.cjs that steals over 100 categories of sensitive files (SSH keys, cloud provider credentials, .env files, Kubernetes configs, AI tool configurations) and exfiltrates them as gzipped tar archives via DNS tunneling.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (510f4689fde6aaa371d3326fe3cb2f9cf33c0821c38d0166359e870c5c836b8d)
node-ipc version 9.2.3 contains a heavily obfuscated module (node-ipc.cjs with hex-mangled identifiers such as _0xaed59b, _0x282d65, _0x4524e4, _0x41d0c3) introduced by the maintainer as protestware. The obfuscated code, loaded on module import, performs geolocation lookups against installer-side IP data and, for hosts resolving to certain regions, overwrites and/or creates files on the installer's filesystem (historically writing 'peace' messages to the user's Desktop and, in related releases from the same maintainer, recursively overwriting files with a heart character). The payload fires whenever this package is loaded as a dependency — including transitively via popular downstream packages — without any consent from the installer. This is destructive, geolocation-gated sabotage executed on the installer's machine at module load time.
- Database specific
{ "malicious-packages-origins": [ { "source": "amazon-inspector", "id": "IN-MAL-2026-002683", "versions": [ "9.1.6" ], "import_time": "2026-05-15T07:37:16.344241431Z", "modified_time": "2026-05-14T19:25:04Z", "sha256": "0b2843b0518acc53936addb07ad25be35502f9d7c9341d72574f7ef9cb511594" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-002684", "versions": [ "9.2.3" ], "import_time": "2026-05-15T07:37:16.425534851Z", "modified_time": "2026-05-14T19:25:04Z", "sha256": "510f4689fde6aaa371d3326fe3cb2f9cf33c0821c38d0166359e870c5c836b8d" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-002682", "versions": [ "12.0.1" ], "import_time": "2026-05-15T07:37:16.295608081Z", "modified_time": "2026-05-14T19:25:03Z", "sha256": "94a6761b8d73df3b9150f507dc28646ee8e68736d17ebf010d9bccc9d54ead13" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
- nullcharb - FINDER
-
Affected packages
npm / node-ipc
Package
- Name
- node-ipc
- View open source insights on deps.dev
- Purl
- pkg:npm/node-ipc
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-ipc/MAL-2026-3744.json"
indicators
{
"evidence_files": [
{
"path": "node-ipc.cjs",
"tlsh": "42b3b20437c2f44513939275774fe0daf5371ca6a04c8996f26ca8f0af92626f2f4a79",
"sha256": "96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144"
}
],
"package_integrity": [
{
"filename": "node-ipc-9.1.6.tgz",
"hashes": {
"sha1": "f5974a9774a22a863728b960543f68e7009099ef",
"sha512_sri": "sha512-ParJgA8rMBa1CAv6QFDZYzZxsNsmHWL24RapTSVbZB9qVE+dC7mHNwDj5gcd874bKjjk7w0pI/WMYrx9TxU7nQ=="
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]