On May 14, 2026, three malicious versions of node-ipc—a package with millions of weekly downloads—were published to npm. These versions (9.1.6, 9.2.3, and 12.0.1) contained a credential-stealing payload that exfiltrated data covering more than 90 credential categories to azurestaticprovider[.]net. The attack vector appears to be a compromised maintainer account, possibly through an expired domain used for account recovery.
Timeline
May 14, 2026: Malicious versions [email protected], [email protected], and [email protected] published to npm registry.
Post-discovery: Snyk issued advisories and detection tools; StepSecurity published analysis identifying expired domain abuse as the likely attack vector.
Current status: Organizations that pulled these versions should treat all credentials on affected systems as potentially compromised.
The rapid publication across multiple version ranges suggests the attacker had full maintainer access and understood the package's release workflow.
Which Controls Failed or Were Missing
No Multi-Factor Authentication on Maintainer Account
The compromise succeeded because a single authentication factor—likely password-based—protected an account controlling a package with massive reach. If the expired domain theory is correct, the attacker reset the password through email verification without needing to bypass a second factor.
Expired Domain Ownership Not Monitored
The maintainer's email domain expired and was re-registered by a third party. This created a direct path to account recovery: request password reset, receive email at now-hostile domain, gain full access. No monitoring detected the domain expiration or the subsequent account activity.
No Package Signing or Verification
The npm ecosystem accepted the malicious packages without cryptographic verification that they came from the legitimate maintainer. There was no signature check, no out-of-band verification for high-impact packages, and no automated flag for unusual publishing patterns from dormant accounts.
Insufficient Dependency Monitoring
Organizations running these versions had no real-time alert when a trusted package suddenly shipped code that contacted external domains and read credential stores. The malicious behavior went undetected until security researchers identified it.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be developed securely based on industry standards. For organizations in scope, this includes vetting third-party code—like npm packages—before deployment. The requirement doesn't stop at your own code; it extends to dependencies that become part of your payment processing environment.
NIST 800-53 Rev 5 SA-12 (Supply Chain Protection) requires organizations to "employ anti-counterfeit technologies, tools, and techniques" and "limit harm from potential adversaries." For software supply chains, this means verifying package integrity, monitoring for unauthorized changes, and maintaining an inventory of components with known provenance.
ISO/IEC 27001:2022 Annex A.5.19 (Information Security in Supplier Relationships) requires you to "define and agree information security requirements with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information." If node-ipc touches production systems, your supplier risk management should have covered its maintainer account security—or at least your response when it fails.
SOC 2 Type II CC6.1 (Logical and Physical Access Controls) requires restricting access to information assets. When you incorporate third-party packages, you're granting their maintainers indirect access to your environment. Your controls must account for that access path, including monitoring for compromise.
None of these standards explicitly say "check if your npm maintainer's domain expired," but they all require you to manage supply chain risk and verify the integrity of code entering your systems.
Lessons and Action Items for Your Team
Enforce MFA on Package Registry Accounts
If your organization publishes packages, require hardware security keys for all maintainer accounts. If you consume packages, prioritize dependencies whose maintainers use strong authentication—npm now displays this in package metadata.
Monitor Domain Expiration for Critical Dependencies
Build a list of your top 20 dependencies by usage and impact. Identify their maintainer contact domains. Set up monitoring for domain expiration dates. When a domain expires, assume the account is compromised until proven otherwise. Remove the package or pin to the last verified version.
Implement Package Signature Verification
Use tools like Sigstore to verify package signatures before installation. For critical dependencies, require signed releases. If the ecosystem doesn't support signing (npm is working on it), use hash verification and pin exact versions in your lockfiles—never use version ranges for high-risk packages.
Deploy Runtime Monitoring for Dependencies
Install tooling that alerts on unexpected network connections from your application. The node-ipc payload contacted azurestaticprovider[.]net—your monitoring should have flagged this as anomalous for a local IPC library. Tools like eBPF-based network monitors or application firewalls can catch this behavior even when static analysis misses it.
Create an Incident Response Plan for Supply Chain Compromise
Document your response when a dependency is compromised: Who freezes deployments? Who inventories affected systems? What's your credential rotation procedure? How do you communicate with customers? The node-ipc incident gave organizations no warning—your plan must assume zero notice.
Audit Account Recovery Mechanisms
Review your own organization's account recovery flows. If you use email-based password resets, verify that your domain registrations are locked and monitored. If former employees used personal domains for work accounts, migrate those accounts immediately.
The node-ipc incident exploited a mundane failure—an expired domain—to compromise a widely-trusted package. Your defenses must account for both sophisticated attacks and simple oversights. Start with MFA and domain monitoring; expand to signature verification and runtime detection. The next supply chain attack is already in progress.
