Executive Summary
On May 14, 2026, the foundational JavaScript package node-ipc (over 800,000 weekly downloads) was compromised in an elegant and highly impactful supply chain hijacking tracked as SNYK-JS-NODEIPC-16697063 Snyk Vulnerability Database opens in a new tab. Rather than breaking into repository servers or compromising CI/CD pipelines directly, the attackers target-hunted a dormant maintainer account named atiertant CSO Online opens in a new tab. They discovered the maintainer's registered npm email address was hosted on atlantis-software.net—a domain that had quietly expired in January 2025 Cybersecurity News opens in a new tab. By re-registering this expired domain, the threat actors successfully hijacked the email inbox, initiated an npm password reset, bypassed multi-factor authentication (which was either absent or circumvented via account recovery), and gained publishing credentials Daily.dev Blog opens in a new tab. They immediately published three compromised versions of the package: 9.1.6, 9.2.3, and 12.0.1 CSO Online opens in a new tab. The injected malicious CommonJS bundle contained an obfuscated ~80KB credential stealer designed to exfiltrate database keys, cloud secrets (AWS, Azure, GCP), SSH keys, and AI agent keys via DNS TXT queries to evade egress network filters Snyk Vulnerability Database opens in a new tab. Use the lockfile, package-cache, and DNS TXT hunt recipes below to determine whether these versions executed and which identities were exposed.