node-ipc Backdoored Through an Expired Domain. 10 Million Weekly Downloads.

#The attack cost twelve dollars.

That's what a domain registration costs. And that's all it took to backdoor a package with 10 million weekly downloads.

node-ipc is one of those packages most developers don't even know they depend on. It's a transitive dependency, pulled in by other packages, used for inter-process communication. It's everywhere. And on May 14, 2026, three malicious versions were published: 9.1.6, 9.2.3, and 12.0.1.

Here's how: node-ipc had a co-maintainer whose email was tied to a domain that expired. The attacker registered that expired domain for twelve dollars. Then they went to npm, clicked "forgot password" for the co-maintainer's account, and received the password reset email at the domain they now controlled.

No exploit. No vulnerability. No npm infrastructure compromise. A standard password reset to an email address the attacker controlled because they bought the domain it was registered on.

With publish access, they pushed versions carrying an obfuscated credential stealer that harvests 90+ categories of secrets and exfiltrates them via DNS TXT queries. Not HTTP. DNS. Because DNS queries bypass most egress firewalls and web filtering. Your network monitoring probably isn't watching DNS payload data.

#90+ secret categories. Via DNS.

Let me be specific about what the stealer grabs, because "90+ categories" sounds abstract until you see the list:

The DNS exfiltration is the smart part. Most organizations monitor outbound HTTP/HTTPS traffic. Some have proxies, firewalls, or DLP that inspect web requests. Very few monitor DNS query payloads. The stealer encodes stolen credentials into DNS TXT query requests to sh.azurestaticprovider.net, which looks like a legitimate Azure endpoint to anyone glancing at DNS logs.

Your secrets leave your network disguised as DNS lookups. By the time you notice, they're already validated and being used to enumerate your cloud infrastructure.

#This attack method is repeatable. Right now.

The scary part isn't that it happened to node-ipc. It's that it can happen to any npm package with a stale maintainer account.

How many npm packages have maintainers with:

• Email addresses on expired domains?
• Personal email accounts they no longer check?
• Company email addresses from companies they no longer work at?

Nobody's auditing this at scale. npm doesn't verify that maintainer email domains are still active. There's no alerting when a domain associated with a maintainer account expires. The attack surface is every dormant maintainer email across the entire npm registry.

And it's not just npm. The same pattern works on PyPI, RubyGems, and any package registry that uses email-based password resets.

#What to do.

If you use node-ipc (directly or transitively):

1. Check your package-lock.json for versions 9.1.6, 9.2.3, or 12.0.1. If you have them, you were exposed.

1. If a compromised version ran in your environment after May 14, rotate every secret it could have reached. AWS keys, npm tokens, GitHub PATs, SSH keys, database credentials, everything listed in the credential harvest above.

1. Check DNS egress logs for queries to sh.azurestaticprovider.net. If you see them, exfiltration occurred.

1. Downgrade to a known-clean version or find an alternative package.

For everyone managing npm packages:

1. Audit your co-maintainer accounts. Are their email domains still active? Are they still reachable? If a co-maintainer left the company two years ago and their email bounces, their account is a takeover target.

1. Enforce publish MFA. npm supports it. If your package can be published without a second factor, a stolen or reset password is all an attacker needs. Enable it on every package you maintain.

1. Use npm provenance and encourage your dependencies to use it. Provenance ties published packages to specific CI/CD pipelines, making unauthorized publishes detectable.

For businesses:

1. Use Socket.dev or Snyk to monitor your dependency tree for supply chain attacks. These tools detect suspicious install scripts, unexpected network access, and unauthorized package publishes.

1. Pin your dependency versions and review updates before accepting them. Detailed guide here.

1. Assume your DNS is being watched. Set up DNS monitoring that flags unusual query patterns, especially TXT queries to unfamiliar domains. Pi-hole can help at the network level. Cloud DNS services (Route53, Cloudflare DNS) have query logging.

#Further reading

• The Hacker News: node-ipc Backdoor - disclosure details
• StepSecurity Analysis - technical breakdown of DNS exfiltration
• Socket.dev - supply chain security monitoring
• npm Provenance - tying packages to CI/CD builds
• Pi-hole - network-level DNS monitoring and filtering