Home · Live brief · Weekly 2026-W20
node-ipc npm package — backdoored via expired-domain account takeover
notable incident discovered 2026-05-11 05:00 UTC single-source
Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)
node-ipc npm package backdoored via expired-domain account takeover; 90+ credential categories exfiltrated; three malicious versions; ~3-minute window to detection (daily 2026-05-16). The defender's learning is the expired-domain account-takeover vector — package-maintainer email domains that lapse become a one-time supply-chain compromise vector. Operational pattern-match: audit npm / PyPI / Cargo dependency trees for packages whose maintainer addresses are at domains your organisation could verify still belong to the original maintainer.