On May 14, 2026, attackers published malicious versions of the widely used npm package node-ipc through a legitimate maintainer account, embedding a sophisticated credential-stealing payload in a package that had previously garnered around 3.35 million monthly downloads. The malware was concealed within the CommonJS bundle, specifically in the node-ipc.cjs file, and activated silently when applications loaded the package using the require('node-ipc') command. This strategic design ensured that the malware harvested sensitive credentials related to developer environments, CI/CD pipelines, and cloud services without interfering with the normal application operation, allowing it to function stealthily.