VDB
GCVE-110-OSM-2026-4182
GCVE-110-OSM-2026-4182
Advisory PublishedCVSS 9.6/10
The widely-used npm package node-ipc was compromised via a maintainer account takeover. The dormant npm account `atiertant` was recovered through an expired email domain, and attacker-published versions (9.1.6, 9.2.3, 12.0.1) ship an obfuscated credential stealer appended as an IIFE to node-ipc.cjs. The CommonJS entrypoint forks a child process that enumerates SSH keys, cloud credentials (AWS/Azure/GCP), container secrets, Kubernetes configs, npm tokens, and CI environment variables across 240+ credential patterns, then exfiltrates via DNS TXT tunneling to attacker infrastructure disguised as Azure services.
=== PAYLOAD: CommonJS Entrypoint Hijack ===
Malicious payload found in: node-ipc.cjs (obfuscated IIFE appended)
Clean wrapper preserved at: node-ipc.js (ESM)
Forking marker: __ntw=1 environment variable on spawned child
Staging file: <os.tmpdir()>/nt-<pid>/<machineHex>.tar.gz
Targets:
- 113 macOS credential patterns + 127 Linux/default patterns
- SSH keys, AWS/Azure/GCP configs, Kubernetes/container secrets, npm tokens
- All process environment variables (including CI secrets)
Exfiltration chain:
- Base64 → XOR with SHA-256 keystream → character substitution → DNS hex encoding
- Bootstrap resolver: sh.azurestaticprovider.net:443
- DNS exfil zone: bt.node.js
- Query prefixes: xh., xd., xf.
- Backing IP: 37.16.75.69
File hashes (SHA-256):
- node-ipc.cjs: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
- node-ipc-9.1.6.tgz: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
- node-ipc-9.2.3.tgz: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
- node-ipc-12.0.1.tar.gz: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
Affected versions: 9.1.6, 9.2.3, 12.0.1 (active); 10.1.1, 10.1.2, 11.0.0, 11.1.0 (historical)
Compromised maintainer: atiertant (account takeover via expired email domain recovery)
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | node-ipc | all (affected) | — |
| AWS | config | — | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.