Credential-Stealing Malware Found in Compromised node-ipc npm Package
Malicious actors have injected credential-stealing code into recent versions of the popular node-ipc npm package, marking a new supply chain attack.
A supply chain attack has targeted the npm ecosystem, with malicious actors injecting credential-stealing malware into newly published versions of the popular node-ipc package. This incident highlights the ongoing risks associated with third-party dependencies in software development [BleepingComputer].
The compromised versions of node-ipc were designed to steal credentials from developers and systems that installed the package. This type of attack is particularly dangerous because it leverages the trust developers place in widely used, legitimate packages.
Developers and organizations that utilize node-ipc are advised to audit their dependencies and ensure they are using secure, verified versions of the package. This incident underscores the necessity of implementing robust supply chain security practices, including dependency scanning and verification, to prevent the introduction of malicious code into development pipelines.