16 May 2026·Source: CryptopolitanBLOCKCHAIN EXCHANGE CRYPTOCURRENCY

Node-ipc supply chain attack targets crypto devs

Three poisoned versions of node-ipc went live on the npm registry on May 14, according to SlowMist. env files. js package that lets different programs talk to each other on the same machine, or sometimes across a network.

SlowMist catches the breach Blockchain security firm, SlowMist, spotted the breach through their MistEye threat intel system. 6. 3.

1. All of the above verions carried the same obfuscated 80 KB payload. js.

js programs send messages back and forth. Over 822,000 people download it each week. Node-ipc is used all over the crypto space.

It’s used in the tools developers use to build dApps , in the systems that automatically test and deploy code (CI/CD), and in everyday developer tools. Each infected version had the same hidden malicious code bolted onto it. The moment any program loaded node-ipc, the code ran automatically.

Screenshot from MistyEye showing malicious node-ipc packages. Source: SlowMist via X. Researchers at StepSecurity figured out how the attack happened.

]net. However, the domain expired on January 10, 2025. On May 7, 2026, the attacker bought the same domain through Namecheap, which gave them control of the developer’s old email.

From there, they just hit “forgot password” on npm, reset it, and walked right in with full permission to publish new versions of node-ipc. The real developer had no clue any of this was happening. The malicious versions stayed live for about two hours before removal.

The stealer looks for 90+ credential types The embedded payload hunts for over 90 types of developer and cloud credentials. AWS tokens, Google Cloud and Azure secrets, SSH keys, Kubernetes configs, GitHub CLI tokens, all on the list. env files.

Those usually hold private keys, RPC node credentials, and exchange API secrets. To sneak the stolen data out, the payload uses DNS tunneling. It basically hides the files inside normal-looking internet lookup requests.

Most network security tools don’t catch that. Security teams are saying any project that ran npm install or had auto-updated dependencies during that two hour window should assume compromise. 1.

Roll back to the last version you know is safe. Change every credential that might have leaked. Supply chain attacks on npm have become a regular thing in 2026.

Crypto projects get hit harder than most because stolen logins can be turned into stolen money fast. Don’t just read crypto news. Understand it.

Subscribe to our newsletter. It's free .

Mentioned in this story

Coins covered

JUSTJST
Live price, charts & AUD analysis
View JST

Read the original on Cryptopolitan

This analysis is generated automatically based on reporting by Cryptopolitan and is for informational purposes only — not financial advice. Always do your own research.

← Back to all news