Feross

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog: socket.dev/blog/node-ipc-…

@SCMagazine Thanks for citing our research!

The “Mini” Shai-Hulud campaign compromised hundreds of npm and PyPI packages, using stolen OIDC tokens to bypass trusted integrity checks and target developers. #cybersecurity #CISO #infosec bit.ly/4dkDr3B

The rate of npm supply chain attacks is so great that "the latest npm security incident" is ambigious after just a few hours... This is now the latest attack: socket.dev/blog/node-ipc-…

Another day, another MASSIVE npm supply chain attack. If you haven't installed @SocketSecurity yet (it's free!), you should have done this yesterday. The second best time to install it is today!

Yep, that works as a lightweight local guardrail. It makes Socket Firewall the default path for everyday installs. For macOS/Linux users, the equivalent in zsh/bash would be: alias npm="sfw npm" alias yarn="sfw yarn" alias pnpm="sfw pnpm" alias pip="sfw pip" alias uv="sfw uv" alias cargo="sfw cargo"

🐘 @packagist is urging #PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs. GitHub has rolled back the token change for now, but affected projects still need to update Composer. socket.dev/blog/packagist…

🏁 TeamPCP and BreachForums are running a supply chain attack contest: $1,000 in Monero for the biggest haul of compromised open source packages, measured by download counts. The group open sourced Shai-Hulud as attack tooling and requires it for entry. socket.dev/blog/teampcp-s…

@DLTA_Sec @tan_stack Wrong. Knowing what a package does, through static analysis (and other techniques), is exactly how we at @SocketSecurity detect these attacks in mere minutes.

@feross @tan_stack Signing and provenance told us the package came from where it claimed; static analysis can tell us what it does, but neither catches the maintainer who quietly hands their token to someone else, which is where every TanStack-class incident actually starts.

🚨 Active supply chain attack on @tan_stack. 84 npm packages in the @​tanstack namespace have been compromised with a credential-stealing worm. @​tanstack/react-router alone has 12M+ weekly downloads. The affected packages span react-router, solid-router, vue-router, start, and dozens more across the TanStack ecosystem. Additional compromised packages were also found in the @​uipath namespace and several other organizations. Socket flagged every malicious version within six minutes of publication. Here's what the malware does: • Injects a 2.3 MB obfuscated file (router_init.js) that daemonizes itself on install, detaching from the terminal so nothing looks wrong • Harvests credentials from GitHub Actions (including OIDC tokens), AWS (IMDSv2, Secrets Manager, SSM across multiple regions), HashiCorp Vault, and Kubernetes service accounts • Uses stolen OIDC tokens to autonomously republish itself to npm under the compromised maintainer's identity, turning every infected CI pipeline into a new propagation vector • Writes persistence hooks into .claude/ and .vscode/ directories so it survives across reboots and re-executes when developers use Claude Code or open VS Code • Exfiltrates everything through the Session decentralized P2P network, making C2 traffic nearly indistinguishable from encrypted messaging • Commits copies of itself to maintainer repositories via GitHub's GraphQL API, spoofing the author as claude@users.noreply.github.com to blend in with legitimate Claude Code activity • Generates valid Sigstore provenance attestations for the malicious packages, meaning provenance badges alone cannot be trusted as a security signal The attack vector: an orphaned commit (no parent history) in the TanStack/router repo was used to hijack the CI workflow's OIDC token, bypassing existing publishing protections including 2FA. The commit was authored by the account "voicproducoes," whose repos include projects named "A Mini Shai-Hulud has Appeared," linking this to an ongoing campaign Socket has been tracking. TanStack maintainer Tanner Linsley confirmed the attack and the team is unpublishing compromised versions and shutting down publishing pipelines while they remediate. What to do right now: • Check your dependency tree for router_init.js. SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c • Rotate npm tokens, GitHub PATs, AWS credentials, Vault tokens, and K8s service account tokens on any system that installed an affected version • Audit .claude/ and .vscode/ directories for router_runtime.js, setup.mjs, or unfamiliar hooks • Check git log for commits authored by claude@users.noreply.github.com that weren't initiated through the legitimate Claude Code app • Block egress to filev2.getsession[.]org at the DNS level • Do not trust Sigstore provenance badges alone Full list of affected packages and IOCs: socket.dev/blog/tanstack-… Developing story...

This is what I've been saying since starting Socket in 2020. You need to look at what the code actually does. Signing and provenance are a bit helpful and definitely not sufficient

nothing, just running “npm install”

Install swf! Do it! Just do it!

@_josehelps socket.dev/blog/introduci…

Aside from pinning package builds (which still a dubious fix) and having hope that the EDR has signatures for what’s about to get dropped. How else can defenders prevent a bad package install wreck their environments? Assuming execution?? ..starts with app and ends with control

@supabase Flagged by Socket: socket.dev/npm/package/su…

Heads up: there's currently a typosquatting package on npm pretending to be related to Supabase: 𝗌​​​​𝗎𝗉𝖺𝖻𝖺𝗌𝖾-𝗃𝖺𝗏𝖺𝗌𝖼𝗋𝗂𝗉𝗍 This is not an official Supabase package. Always verify package names before installing dependencies, especially when using AI/codegen tools that may hallucinate package names. Official packages are published under the @𝗌𝗎𝗉𝖺𝖻𝖺𝗌𝖾/* 𝗌𝖼𝗈𝗉𝖾. We're actively working to get this package taken down.

Relatedly I don’t see how any OSS maintainer can safely merge code they didn’t read/vet

@XRPeaceOfMind You can also add socket to GitHub and your laptop which will scan and verify all your libraries. x.com/feross/status/…

This is how I set up Socket Firewall to protect my local dev environment from supply chain attacks. The core idea is simple: package installs are now part of the attack surface. npm install, pip install, CI jobs, and LLM agent workspaces can all execute attacker-controlled code before anything reaches production. So I wrapped my package managers with @SocketSecurity’s sfw, cleared local caches, and made normal commands like npm, pnpm, yarn, pip, uv, and cargo route through Socket Firewall by default. The article covers: 1. Why the TanStack npm compromise made this urgent 2. How install-time protection differs from auditing after the fact 3. The shell wrapper setup 4. What LLM coding agents should do before installing packages Supply chain security cannot depend on everyone remembering to be careful at the exact moment they are trying to move fast. The safer path has to become the default path.

pull_request_target strikes again. GitHub aught to remove this feature and re-introduce it with better security.

Just close the internet at this point.