Node-IPC Expired Domain & Maintainer Account Hijacking

Executive Summary

On May 14, 2026, the foundational JavaScript package node-ipc (over 800,000 weekly downloads) was compromised in an elegant and highly impactful supply chain hijacking tracked as SNYK-JS-NODEIPC-16697063 Snyk Vulnerability Database. Rather than breaking into repository servers or compromising CI/CD pipelines directly, the attackers target-hunted a dormant maintainer account named atiertant CSO Online. They discovered the maintainer’s registered npm email address was hosted on atlantis-software.net—a domain that had quietly expired in January 2025 Cybersecurity News. By re-registering this expired domain, the threat actors successfully hijacked the email inbox, initiated an npm password reset, bypassed multi-factor authentication (which was either absent or circumvented via account recovery), and gained publishing credentials Daily.dev Blog. They immediately published three compromised versions of the package: 9.1.6, 9.2.3, and 12.0.1 CSO Online. The injected malicious CommonJS bundle contained an obfuscated ~80KB credential stealer designed to exfiltrate database keys, cloud secrets (AWS, Azure, GCP), SSH keys, and AI agent keys via DNS TXT queries to evade egress network filters Snyk Vulnerability Database. Defenders must immediately check all dependency trees, quarantine affected machines, and rotate all exposed secrets.

Key Facts

threat_type: "Maintainer Account Takeover & Expired Domain Hijacking"
ecosystem: "npm, javascript, node.js"
registry: "npm Registry"
affected_packages:
  - "node-ipc"
malicious_versions:
  - "9.1.6"
  - "9.2.3"
  - "12.0.1"
fixed_versions:
  - "9.1.7"
  - "9.2.4"
  - "12.0.2"
safe_versions:
  - "9.1.5"
  - "9.2.2"
  - "12.0.0"
exposure_window: "2026-05-14T02:30:00Z to 2026-05-14T14:45:00Z"
execution_trigger: "Importing or requiring the malicious package via `require('node-ipc')` during project runtime or testing"
primary_impact: "Developer workstation and CI/CD runner host credential harvesting, with stealthy DNS TXT exfiltration"
known_iocs:
  - "atlantis-software[.]net"
  - "dns.atlantis-software[.]net"
confidence: "high"
canonical_source: "https://snyk.io"

Source Confidence & Evidence Mapping

• confirmed:
  • Malicious versions published on npm under node-ipc were 9.1.6, 9.2.3, and 12.0.1. Source: Snyk Vulnerability Database
  • The hijacking was achieved by re-registering the expired domain atlantis-software.net used by lead maintainer atiertant. Source: CSO Online
  • Obfuscated payload of approximately 80KB was injected directly into node-ipc.cjs. Source: Daily.dev Blog
  • Data exfiltration leveraged DNS TXT records pointing to attacker-controlled name servers on the hijacked domain. Source: Cybersecurity News
• likely:
  • The dormant maintainer account lacked mandatory multi-factor authentication (MFA) or fell victim to legacy account recovery flows. Source: CSO Online
• unclear:
  • Exact number of downstream organizations infected during the 12-hour exposure window. Source: Daily.dev Blog

Timeline

• 2025-01-15T00:00:00Z The domain atlantis-software.net expires and enters redemption state. Source: Cybersecurity News
• 2026-05-10T12:00:00Z Attackers discover the expired domain and register it via a public registrar. Source: Daily.dev Blog
• 2026-05-14T02:30:00Z Attackers complete the npm account recovery, take over the atiertant account, and publish 9.1.6, 9.2.3, and 12.0.1. Source: CSO Online
• 2026-05-14T07:15:00Z Security automated pipelines at Socket and Snyk trigger anomaly alerts on unexpected codebase increases and domain association checks. Source: Snyk Vulnerability Database
• 2026-05-14T14:45:00Z The npm security team revokes the compromised credentials, removes the malicious versions, and blocks the compromised account. Source: CSO Online

What Happened

On May 14, 2026, the maintainers of several high-profile downstream projects noticed Snyk alerts indicating that node-ipc had published minor versions with a massive file size inflation CSO Online. Snyk and Socket researchers quickly mapped the release of 9.1.6, 9.2.3, and 12.0.1 to the npm account of atiertant, a dormant developer who had not contributed to the main codebase in over two years Snyk Vulnerability Database. Upon checking the registrant status of the maintainer’s contact email domain (atlantis-software.net), analysts discovered the domain was registered just four days prior by a private entity using a different registrar than the original registrant Cybersecurity News. It became clear that the threat actors re-registered the expired domain to intercept the password-reset email sent by the npm registry Daily.dev Blog. Armed with access to the npm account, they injected an 80KB credential stealer payload directly into the compiled CJS files, bypassing standard git commit hooks and CI checks entirely since the malicious release was pushed directly from the hijacked maintainer account to the npm registry Snyk Vulnerability Database.

Technical Analysis

Initial Access

Initial access was gained via an expired email domain takeover CSO Online. The attackers scanned package metadata directories of highly popular npm packages to find dormant maintainer accounts that used domain-based email addresses that were currently available for public registration Cybersecurity News. Once atlantis-software.net was identified as expired, it was re-registered for less than $15, allowing the threat actors to spin up an MX mail server, receive the reset token from npm, and instantly take over account access Daily.dev Blog.

Package or Artifact Manipulation

The threat actor did not compromise the GitHub repository RIAEvangelist/node-ipc. Instead, they bypassed source control entirely. They downloaded the legitimate versions of 9.1.5, 9.2.2, and 12.0.0, modified the bundled distribution files (node-ipc.cjs) by appending the obfuscated payload, updated package.json to bump the versions to 9.1.6, 9.2.3, and 12.0.1, and published directly to npm using the hijacked publishing token CSO Online.

Execution Trigger

The malware executes automatically at import-time Snyk Vulnerability Database. As soon as any dependency or root project loads node-ipc via:

const ipc = require('node-ipc');

the Immediately Invoked Function Expression (IIFE) appended to the end of the node-ipc.cjs bundle is triggered in the Node.js runtime Daily.dev Blog.

Payload Behavior

Upon execution, the payload performs the following actions:

1. Environment Enumeration: Iterates through process.env looking for secrets.
2. File System Scanning: Scans typical system directories (~/.aws/, ~/.ssh/, ~/.kube/) and searches developer workspaces for .env and config.json containing cloud API keys and authentication tokens.
3. Target Collection: Gathers over 90 different kinds of sensitive configurations (specifically looking for npm publishing tokens, AWS keys, GCP keys, Kubernetes configurations, and developer tools like Cursor/Copilot configurations).

Exfiltration / C2

To bypass strict firewalls and egress proxies that block HTTP/HTTPS traffic to unrecognized domains, the malware compresses the stolen credentials, encodes them in Base32 chunks, and exfiltrates the data using DNS TXT record queries Cybersecurity News.

<base32_chunk>.<unique_session_id>.dns.atlantis-software[.]net

By querying their own custom nameserver hosted on dns.atlantis-software[.]net, the attackers successfully bypass corporate web proxies and egress security monitors which routinely allow outbound system DNS resolution Snyk Vulnerability Database.

Propagation

The malware does not possess lateral worm propagation vectors; it remains a static, target-harvesting payload.

Obfuscation or Evasion

The appended malicious script was heavily obfuscated using a commercial JS obfuscator, hiding strings and variables inside a massive nested hex-encoded dictionary to prevent signature-based detection by standard npm package scanners Daily.dev Blog.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "npm"
  packages:
    - "node-ipc"
  versions:
    - "9.1.6"
    - "9.2.3"
    - "12.0.1"
  repositories:
    - "RIAEvangelist/node-ipc"
  container_images: []
  CI_CD_systems:
    - "GitHub Actions runners"
    - "GitLab CI runners"
  developer_tools:
    - "Developer workstations"

credentials_at_risk:
  - AWS access keys
  - GCP service account keys
  - Azure authentication secrets
  - SSH private keys
  - npm publishing tokens
  - Kubernetes service tokens
  - AI developer tool API keys

Indicators of Compromise

Domains

• atlantis-software[.]net (source: https://snyk.io, confidence: high)
• dns.atlantis-software[.]net (source: https://snyk.io, confidence: high)

Network Logs

• DNS lookup requests ending with .dns.atlantis-software[.]net or queries of type TXT sent to authority servers of atlantis-software[.]net.

Package Versions

• node-ipc@9.1.6
• node-ipc@9.2.3
• node-ipc@12.0.1

Detection and Hunting

Hunt Queries

hunt_queries:
  dependency_lockfiles:
    - "node-ipc@9.1.6"
    - "node-ipc@9.2.3"
    - "node-ipc@12.0.1"
  network:
    - "*.dns.atlantis-software.net"
  endpoint_checks:
    - "Look for high-frequency outbound UDP/53 (DNS) queries containing long, high-entropy subdomains"

Remediation Workflow

• Immediate:
  1. Scan your project lockfiles for the malicious versions (9.1.6, 9.2.3, 12.0.1) and force Downgrade to 9.1.5 or 12.0.0 or upgrade to the clean fixed releases 9.1.7 / 12.0.2 Snyk Vulnerability Database.
  2. Revoke and rotate all environment credentials, cloud access tokens, SSH keys, and npm publishing keys that were present on developer machines or CI/CD runners during execution of these packages CSO Online.
• Short-term:
  • Purge your local and corporate package caching servers (e.g., Nexus, Artifactory, local .npm cache) to ensure malicious versions are completely evicted.
• Long-term:
  • Implement mandatory domain registrant checks for critical upstream dependencies, pin hashes instead of mutable versions, and restrict developer workstation and runner outbound egress to port 53 (DNS) only to trusted internal resolvers that perform DNS security filtering.

Defensive Lessons

• prevent: Ensure that all organization domains used for registry accounts are auto-renewed, and never let professional developer domains expire while they remain listed as package maintainers.
• detect: Monitor runner DNS query telemetry for DNS tunneling exfiltration patterns, and flag massive file size anomalies in package updates.
• respond: Maintain a robust, tested secret rotation playbook capable of instantly rolling 100% of credentials across cloud, source control, and registry systems.

Open Questions

• Were the attackers exploiting a loophole in npm account recovery to bypass MFA, or did the maintainer account simply lack MFA entirely?
• Are there other dormant npm maintainer accounts with expired domains that are currently vulnerable to the same takeover vector?

Sources

1. Snyk Advisory for node-ipc - Role: DIRECT_SOURCE - Impact: Detailed package versions, fixed releases, and security advisory mapping.
2. CSO Online Attack Coverage - Role: PRIMARY_RESEARCH - Impact: Detailed explanation of the expired domain re-registration vector and the dormant account hijacking timeline.
3. Cybersecurity News DNS Exfil Analysis - Role: SECONDARY_ANALYSIS - Impact: In-depth technical breakdown of the Base32 DNS TXT query exfiltration mechanism.
4. Daily.dev Package Analysis - Role: PRIMARY_RESEARCH - Impact: Obfuscated payload identification and system enumeration targets.
5. Landh.tech Anomaly Reports - Role: SECONDARY_ANALYSIS - Impact: Initial alert timeline and anomaly signal mapping.

---

Machine-Readable Event Profile (Format B)

[
  {
    "event_id": "node-ipc-expired-domain-takeover",
    "event_name": "Node-IPC Expired Domain & Maintainer Account Hijacking",
    "parent_campaign_id": "none",
    "is_campaign_level": false,
    "confidence": "high",
    "confidence_reason": "Backed by verified Snyk advisories, multiple independent security firm reports in complete agreement, and clear metadata/timeline telemetry.",
    "attack_types": [
      "maintainer account compromise",
      "package takeover",
      "abandoned package takeover",
      "malicious package",
      "credential theft",
      "token exfiltration"
    ],
    "direct_sources": [
      {
        "name": "Snyk Advisory for node-ipc",
        "url": "https://snyk.io"
      }
    ],
    "correlated_sources": [
      {
        "name": "CSO Online Attack Coverage",
        "url": "https://www.csoonline.com",
        "role": "PRIMARY_RESEARCH",
        "contribution": "account recovery timeline and atlantis-software.net expired domain takeover"
      },
      {
        "name": "Cybersecurity News DNS Exfil Analysis",
        "url": "https://www.cybersecuritynews.com",
        "role": "SECONDARY_ANALYSIS",
        "contribution": "DNS TXT query exfiltration mechanics and C2 configurations"
      },
      {
        "name": "Daily.dev Package Analysis",
        "url": "https://daily.dev",
        "role": "PRIMARY_RESEARCH",
        "contribution": "payload analysis and credential scanning types"
      }
    ],
    "affected_assets": {
      "ecosystems": ["npm"],
      "packages": ["node-ipc"],
      "versions": ["9.1.6", "9.2.3", "12.0.1"],
      "repositories": ["RIAEvangelist/node-ipc"],
      "vendors": [],
      "CI_CD_systems": ["GitHub Actions runners", "GitLab CI runners"],
      "container_images": [],
      "developer_tools": ["Developer workstations"]
    },
    "timeline": {
      "first_seen": "2026-05-14T02:30:00Z",
      "malicious_publish_time": "2026-05-14T02:30:00Z",
      "discovery_time": "2026-05-14T07:15:00Z",
      "removal_time": "2026-05-14T14:45:00Z",
      "disclosure_time": "2026-05-14T07:15:00Z",
      "fixed_version_time": "2026-05-14T14:45:00Z"
    },
    "matching_signals": {
      "package_names": ["node-ipc"],
      "affected_versions": ["9.1.6", "9.2.3", "12.0.1"],
      "identifiers": {
        "cve": "N/A",
        "ghsa": "N/A",
        "osv": "SNYK-JS-NODEIPC-16697063"
      },
      "shared_claims": "Credential stealer targeting cloud keys, SSH keys, and tokens",
      "shared_root_cause": "Dormant maintainer account linked to expired domain",
      "shared_affected_parties": "Downstream developers and CI/CD automation users"
    },
    "iocs": {
      "domains": ["atlantis-software.net", "dns.atlantis-software.net"],
      "ips": [],
      "urls": [],
      "hashes": [],
      "scripts": ["node-ipc.cjs"]
    },
    "recommended_actions": {
      "store_as_new_event": true,
      "attach_as_observations": [
        "https://www.csoonline.com",
        "https://www.cybersecuritynews.com",
        "https://daily.dev"
      ],
      "promote_to_writeup": true,
      "needs_ioc_enrichment": false,
      "needs_registry_metadata": false,
      "needs_more_research": false
    }
  }
]