Three malicious versions of node-ipc, a widely used Node.js library in Web3 development pipelines, were confirmed compromised on May 14. Security firm Slowmist warned that crypto developers relying on the package face immediate risk of credential theft, including exposure of AWS keys and private keys. The attack was flagged by Slowmist's Misteye threat intelligence system.
What Slowmist Found
Slowmist's Misteye system detected the malicious releases of node-ipc, a foundational component that many blockchain and crypto applications pull into their build processes. The firm didn't specify which version numbers were affected, but urged developers to verify their dependencies immediately. The compromised packages could exfiltrate sensitive credentials from development environments.
The Risk to Developers
For crypto teams, the stakes are high. Node-ipc is used in automated build scripts, CI/CD pipelines, and local development setups. A malicious version could silently steal credentials stored in environment variables or configuration files. Slowmist's warning specifically called out AWS keys and private keys — the kind of access that could let an attacker drain wallets or infiltrate cloud infrastructure.
What Developers Should Do Now
Check your package-lock.json or yarn.lock for node-ipc entries and compare against the official registry. If you see versions published after a certain date, treat them as suspect. Slowmist recommended rolling back to a known clean version and pinning it. Also rotate any credentials that may have been exposed in environments where the malicious package ran. The attack surface isn't limited to production — even local machines or CI runners that fetched the bad versions are at risk.
The full extent of the compromise is still under investigation. It's unclear whether the attacker pushed multiple malicious versions over time or in a single burst. Developers should treat any recent node-ipc install as compromised until proven otherwise.
