`node-ipc` npm package backdoored via expired-domain account takeover — 90+ credential categories exfiltrated, three malicious versions, ~3-minute window to detection

On 2026-05-14, three malicious versions of the node-ipc npm package (versions 9.1.6, 9.2.3, and 12.0.1 — node-ipc is a widely-used Node.js IPC library, with CSO Online reporting approximately 700 K weekly downloads and inclusion as a transitive dependency in hundreds of projects including Vue CLI and various webpack tooling) were published simultaneously by the long-dormant maintainer account atiertant, whose registered email domain atlantis-software.net had expired in January 2025 and was re-registered by an attacker via Namecheap on 2026-05-07 (Socket Security, 2026-05-14 · StepSecurity, 2026-05-14 · The Hacker News, 2026-05-14 · CSO Online, 2026-05-14). The attacker used the recovered domain to receive an npm password-reset email and then published the backdoored versions. The malicious payload is an 80 KB obfuscated Immediately-Invoked Function Expression appended to node-ipc.cjs (the CommonJS bundle); it fires unconditionally on every require('node-ipc') via setImmediate(), and notably does not use an npm lifecycle hook (preinstall, postinstall), which lets it bypass npm audit and conventional install-time scanning that only inspects lifecycle-script execution. Four-layer obfuscation (string-array shuffling, control-flow flattening, dead-code injection, custom reversed-nibble base-16 encoding) defeats static signature analysis. The collector enumerates approximately 90 file-path patterns covering AWS / Azure / GCP / OCI / DigitalOcean / Hetzner / Fly / Vercel credentials and configs, SSH private keys, Kubernetes service-account tokens, GitHub CLI configurations, npm and Git tokens, Terraform state, .env files, shell history, and macOS Keychain databases; data is GZIP-compressed then exfiltrated over two simultaneous channels — DNS TXT queries to the bt.node.js suffix and HTTPS POST to sh.azurestaticprovider[.]net:443. Version 12.0.1 carries an additional SHA-256 fingerprint check targeting specific high-value projects; the 9.x versions fire universally. The ESM entry point is unaffected. Socket's AI scanner flagged the publish within ~3 minutes; the malicious versions were removed from the registry shortly thereafter. MITRE ATT&CK: T1195.002 Compromise Software Supply Chain, T1555 Credentials from Password Stores, T1048.003 Exfiltration Over Alternative Protocol (DNS), T1083 File and Directory Discovery. Defender action: enumerate node-ipc installs (npm ls node-ipc across the build graph, including transitive); on any workstation or CI runner that installed one of the three flagged versions between 2026-05-14 publish time and registry removal, treat every secret available in the environment (cloud SDK profiles, SSH keys, npm / Git tokens, Kubernetes contexts) as compromised and rotate. Enforce npm ci --ignore-scripts in CI, pin via lockfile, and monitor for outbound DNS queries to *.bt.node.js.