VDB

GCVE-110-OSM-2026-4182

GCVE-110-OSM-2026-4182
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 14, 2026
The widely-used npm package node-ipc was compromised via a maintainer account takeover. The dormant npm account `atiertant` was recovered through an expired email domain, and attacker-published versions (9.1.6, 9.2.3, 12.0.1) ship an obfuscated credential stealer appended as an IIFE to node-ipc.cjs. The CommonJS entrypoint forks a child process that enumerates SSH keys, cloud credentials (AWS/Azure/GCP), container secrets, Kubernetes configs, npm tokens, and CI environment variables across 240+ credential patterns, then exfiltrates via DNS TXT tunneling to attacker infrastructure disguised as Azure services. === PAYLOAD: CommonJS Entrypoint Hijack === Malicious payload found in: node-ipc.cjs (obfuscated IIFE appended) Clean wrapper preserved at: node-ipc.js (ESM) Forking marker: __ntw=1 environment variable on spawned child Staging file: <os.tmpdir()>/nt-<pid>/<machineHex>.tar.gz Targets: - 113 macOS credential patterns + 127 Linux/default patterns - SSH keys, AWS/Azure/GCP configs, Kubernetes/container secrets, npm tokens - All process environment variables (including CI secrets) Exfiltration chain: - Base64 → XOR with SHA-256 keystream → character substitution → DNS hex encoding - Bootstrap resolver: sh.azurestaticprovider.net:443 - DNS exfil zone: bt.node.js - Query prefixes: xh., xd., xf. - Backing IP: 37.16.75.69 File hashes (SHA-256): - node-ipc.cjs: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 - node-ipc-9.1.6.tgz: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e - node-ipc-9.2.3.tgz: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea - node-ipc-12.0.1.tar.gz: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 Affected versions: 9.1.6, 9.2.3, 12.0.1 (active); 10.1.1, 10.1.2, 11.0.0, 11.1.0 (historical) Compromised maintainer: atiertant (account takeover via expired email domain recovery)

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnode-ipcall (affected)
AWSconfig

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›