Backdoored node-ipc npm releases steal developer credentials through DNS queries

On May 14, 2026, three npm releases of node-ipc (9.1.6, 9.2.3, 12.0.1) were published with a backdoored CommonJS entrypoint that, when required, forks a detached child, collects environment, host, and a broad set of credential files (developer, cloud, package manager, source control, Kubernetes, DB, SSH), archives and compresses them, and exfiltrates the data via DNS TXT queries to a resolver decoded from sh.azurestaticprovider.net:443 (query suffix bt.node.js). The report provides technical analysis, IoCs (file and tarball SHA-256 hashes, DNS IP 37.16.75.69, embedded keys), detection signatures, and mitigation/containment advice including dependency inventory, DNS sinkholing, and credential rotation.