A supply chain attack targeting the widely used Node.js package node-ipc has raised fresh security concerns across the crypto industry after three malicious versions of the library were found stealing sensitive developer credentials.
Blockchain security firm SlowMist said the compromised releases, versions 9.1.6, 9.2.3, and 12.0.1, carried hidden malware capable of extracting cloud credentials, private keys, and developer secrets from infected systems.
🚨 SlowMist TI Alert 🚨
MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1.
Threat actors injected an… pic.twitter.com/n2zitoI7YY
— SlowMist (@SlowMist_Team) May 15, 2026
Malicious package hit thousands of systems
The compromised versions of node-ipc were briefly available on npm before being removed, but the package’s scale made the threat significant. Node-ipc has recorded more than 822,000 weekly downloads, increasing the risk that crypto projects unknowingly installed infected versions during the exposure window.
According to SlowMist, the malicious code executed automatically whenever the package was loaded through a standard require(‘node-ipc’) call. No user interaction was needed for the malware to activate.
Researchers found that each infected version contained the same obfuscated 80 KB payload hidden inside the package bundle.
Crypto credentials among main targets
The malware was designed to steal more than 90 types of credentials and sensitive files from developers’ systems. Targets included Amazon Web Services (AWS) tokens, Microsoft Azure secrets, Google Cloud credentials, SSH keys, Kubernetes configurations, GitHub CLI tokens, and shell history files.
For crypto developers, the biggest concern involves .env files, which often store wallet private keys, RPC credentials, exchange API keys, and other blockchain infrastructure secrets. The stolen data was reportedly exfiltrated through DNS tunnelling.
Meanwhile, Cybersecurity experts have sounded the alarm on a new malware campaign targeting users of popular crypto wallets like Atomic and Exodus, with Ethereum, XRP, and Solana assets in the crosshairs.
Expired email domain enabled the attack
Security researchers at StepSecurity said attackers did not breach node-ipc’s original codebase. Instead, they gained access by taking over a dormant maintainer account.
The attackers reportedly re-registered the expired atlantis-software.net domain after it lapsed earlier this year, then used it to reset the maintainer’s npm password and regain publishing access. Security teams have urged developers to immediately audit dependencies and lock files for the compromised node-ipc versions, and to roll back to verified, clean releases.
Supply chain attacks against the npm ecosystem represent a persistent threat in 2026, positioning cryptocurrency projects as high-value targets because their credentials offer direct routes to financial assets.
Enjoyed this? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads and CoinMarketCap Community for seamless access to high-quality industry insights
Take control of your crypto portfolio with DEFI PLANET PRO, DeFi Planet’s suite of analytics tools
