node-ipc npm Package Compromised in Supply Chain Attack to Steal Credentials

Attackers injected credential-stealing malware into newly published versions of node-ipc, a popular Node.js inter-process communication package on npm. Any developer or CI pipeline that installed the compromised versions should assume credential exposure. This is at least the third significant npm supply chain compromise in recent weeks — following TanStack and Bitwarden — suggesting an organized campaign targeting the npm ecosystem, potentially linked to TeamPCP’s Shai-Hulud tooling. Developers should immediately pin or audit node-ipc in their dependency trees, rotate all credentials accessible from affected build environments, and review recently updated packages for signs of tampering.