node-ipc npm package backdoored via expired-domain account takeover (versions 9.1.6 / 9.2.3 / 12.0.1)

incident · incident:node-ipc-supply-chain-2026-05

Coverage timeline

first 2026-05-16 → last 2026-05-16

Briefs

1 distinct

Sources cited

0 hosts

Sections touched

action_items, active_threats

Co-occurring entities

no co-occurrence

2026-05-162 appearances2026-05-16

Story timeline

2026-05-16CTI Daily Brief — 2026-05-16
active_threatsFirst coverage. atiertant maintainer account hijacked via expired atlantis-software.net domain re-registered 2026-05-07; three malicious versions published 2026-05-14 with 80KB obfuscated IIFE in node-ipc.cjs harvesting ~90 cloud/CI/SSH/Keychain credential categories; exfil over DNS TXT to bt.node.js + HTTPS to sh.azurestaticprovider.net; v12.0.1 has SHA-256 fingerprint targeting; Socket flagged within ~3 min.
2026-05-16CTI Daily Brief — 2026-05-16
action_itemsFirst coverage. atiertant maintainer account hijacked via expired atlantis-software.net domain re-registered 2026-05-07; three malicious versions published 2026-05-14 with 80KB obfuscated IIFE in node-ipc.cjs harvesting ~90 cloud/CI/SSH/Keychain credential categories; exfil over DNS TXT to bt.node.js + HTTPS to sh.azurestaticprovider.net; v12.0.1 has SHA-256 fingerprint targeting; Socket flagged within ~3 min.

Where this entity is cited

active_threats1
action_items1

Items in briefs about node-ipc npm package backdoored via expired-domain account takeover (versions 9.1.6 / 9.2.3 / 12.0.1)

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.