Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Three malicious Node-IPC versions (11.10.2-11.10.4) carried an npmCove stealer backdoor harvesting dev tokens. ~14,500 downloads during the 12-hour window. Rotate npm + GitHub tokens.
What’s new: Three malicious versions of the Node-IPC package (versions 11.10.2, 11.10.3, and 11.10.4) have been identified, containing a stealer backdoor specifically designed to target developer secrets. The backdoor, named npmCove, is engineered to harvest authentication tokens and credentials from various services. The malicious versions were live for approximately 12 hours before being unpublished by NPM moderators.
Who’s affected
Organizations and developers using Node-IPC are at risk, particularly those who may have installed the affected versions during the brief window of availability. Approximately 14,500 downloads of the malicious versions are estimated to have occurred.
What to do
- Immediately check your project’s dependencies for the affected Node-IPC versions (11.10.2, 11.10.3, 11.10.4).
- Rotate any potentially compromised secrets, including npm tokens, GitHub tokens, and other authentication credentials.
- Monitor for any unauthorized access or anomalies in your developer machines and CI environments.
- Implement stricter security measures around the use of third-party packages and consider using tools to detect and manage software supply chain risks.
