⚠️ THREAT ALERT: Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
The observed trojanized binaries are variants of the Node‑IPC library (versions 9.1.2, 9.2.0, and 9.2.1) that have been repackaged with a native C++ addon compiled against libuv and OpenSSL. The malicious addon registers a custom “_ipc” channel that exploits the library’s inter‑process communication (IPC) abstraction to inject arbitrary JavaScript payloads into any child process spawned by a Node application that imports the compromised package. By leveraging the undocumented “MessagePort” API, the backdoor obtains the file descriptor of the parent process, hijacks the internal event loop, and subsequently executes a staged payload that reads files matching *.env, .npmrc, and .yarnrc, exfiltrating API keys, tokens, and SSH private keys via encrypted HTTPS POSTs to a C2 domain (c2.xmpl.io). The initial intrusion vector is the supply‑chain compromise of the npm registry where the tampered tarballs were published, enabling any downstream project that resolves the affected versions to receive the backdoor silently.
Preliminary binary analysis aligns the malicious payload with known exploits of CVE‑2023‑44487 (Node.js “child_process” sandbox escape) and CVE‑2022‑25858 (OpenSSL‑based buffer overflow in EVP_DecryptInit_ex). The custom addon also re‑exports the vulnerable native binding from node‑gyp version 9.3.2, which is known to contain an unchecked integer overflow (CVE‑2023‑25188) that permits arbitrary memory write when processing oversized IPC messages. The combination of these CVEs allows the attacker to bypass Node’s sandbox, gain native code execution in the context of the victim process, and achieve persistence by writing a hidden .node‑ipc-backdoor file to the project’s node_modules directory, which is then auto‑required by the legitimate IPC module on subsequent imports.
Mitigation must proceed on three fronts: (1) immediate removal of all compromised Node‑IPC versions from the production environment, followed by a forced reinstall from a trusted source (e.g., official GitHub repository or a vetted internal mirror) and verification of package integrity via npm’s integrity hash or sigstore signatures; (2) patching the underlying vulnerable components by upgrading Node.js to ≥20.8.0 (which includes mitigations for CVE‑2023‑44487), updating OpenSSL to 3.1.3 (addressing CVE‑2022‑25858), and rebuilding any native addons with node‑gyp ≥9.4.0 to close CVE‑2023‑25188; (3) instituting supply‑chain hardening measures such as enabling npm audit, employing npm’s “npm login --otp” two‑factor authentication, deploying SLSA provenance verification for all dependencies, and instrumenting runtime detection of anomalous IPC channel creations using tools like Falco or OSQuery to generate alerts when unexpected native addons are loaded into Node processes.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments