node-ipc — three poisoned versions, an expired domain mailbox, and 90 categories of leaked credentials
15 May 2026. Between roughly 03:00 UTC on 14 May 2026 and the registry takedown later that afternoon UTC, three tampered versions of the widely used Node/npm library node-ipc — 9.1.6, 9.2.3 and 12.0.1 — were available in the registry and contained an identical 80 KB stealer payload. The initial vector was not account phishing and not token exfiltration, but the re-registration of the maintainer mail domain atlantis-software.net, which had expired on 7 May, through Namecheap, plus the configuration of PrivateEmail mail infrastructure — a regular account takeover via the email recovery path. Anyone who, in the eleven-hour window, freshly installed or rebuilt node-ipc or a library with node-ipc as a transitive dependency (Webpack, Vite, vue-cli, Storybook, in-house TYPO3 sitepackage or Sylius frontend build pipelines) must treat all credentials on the affected host as compromised.
TL;DR — 90 seconds
Three node-ipc versions with an active credential stealer were live in the npm registry for eleven hours on 14 May 2026; the initial vector is an expired maintainer mail-domain mailbox, exfiltration runs over DNS TXT tunnelling — anyone who built in that window rotates now.
| Question | Answer |
|---|---|
| Affected? | node-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1, published 14 May 2026 ~03:00 UTC, removed 14 May 2026 afternoon UTC. Directly and transitively affected are builds with Webpack, Vite, vue-cli, Storybook, in-house TYPO3 sitepackage build paths and Sylius shop frontend pipelines that ran npm install / pnpm install / yarn install against an unfrozen lockfile in the window |
| Risk? | Stealer payload collects more than 90 categories of credentials (AWS, Azure, GCP, SSH, Kubernetes tokens, GitHub CLI config, Claude/Kiro/IDE tokens, Terraform state, DB passwords, shell history) and exfiltrates via DNS TXT queries to an Azure-impersonating lookalike domain — no HTTP/HTTPS, no visible TLS connection |
| Immediate action? | Audit lockfiles (package-lock.json / pnpm-lock.yaml / yarn.lock) for node-ipc versions; if any hit lies in the 11-hour window between 14 May 03:00 UTC and ~14:00 UTC: treat the build host as compromised, rotate credentials, reissue pipeline tokens |
| Recommendation? | For the German Mittelstand: lockfile audit via npm audit plus version pin to the last clean node-ipc line (9.1.5 or 12.0.0); flush build caches; credential rotation on affected build hosts. Enterprise: additionally an SCA tool rescan, maintainer-identity audit across the tenant estate, DNS egress filter on the CI build hosts |
| Criticality? | See hero badge — critical |
What is the problem?
node-ipc is a Node.js library for inter-process communication, maintained since 2014. With around 822,000 weekly downloads and roughly 3.35 million monthly downloads, the library is one of the most commonly pulled-in transitive npm components — it sits beneath Webpack (using node-ipc for IPC between watcher and dev server), beneath Vite (development IPC), beneath vue-cli and beneath several tooling paths that travel with TYPO3 sitepackage build pipelines and Sylius frontend build pipelines. Directly installed, node-ipc appears in only a handful of German Mittelstand projects; transitively installed, in practically every contemporary TYPO3 13+ or Sylius 2+ sitepackage.
Between roughly 03:00 UTC on 14 May 2026 and the registry takedown that afternoon UTC, three tampered versions — 9.1.6, 9.2.3 and 12.0.1 — were available on the npm registry. All three carried an identical obfuscated JavaScript payload of about 80 KB, triggered through the postinstall lifecycle and through the module execution path on the first require('node-ipc'). The payload decompressed itself, scanned the build host across more than 90 categories of credentials, and exfiltrated the values it found via DNS TXT queries to a lookalike domain impersonating Azure infrastructure (sh.azurestaticprovider.net, routing zone bt.node.js, query prefixes xh, xd, xf).
The decisive point is not the payload but the initial vector. The attacker did not compromise the npm account (no brute-force password reset, no OAuth token theft), did not infiltrate the maintainer's machine, and did not exploit a vulnerability in the registry. They re-registered the domain atlantis-software.net through Namecheap on 7 May 2026, after it had expired the previous day, configured a PrivateEmail mailbox under the original maintainer's mailbox name, and used it to walk through npm's regular account-recovery path. In this model the maintainer identity is not the account but the mailbox at the key symbol. Whoever owns the mailbox is the maintainer.
This is the structural weakness that distinguishes this episode from Mini-Shai-Hulud (OIDC memory extraction from CI runners) and from the Composer token leak (diagnostic output). Mini-Shai-Hulud was a technical attack on the CI pipeline layer. Composer was a validation weakness on the build-tool layer. node-ipc is an administratively clean account takeover: every step of the attack ran through the regular, documented paths of the registry and the maintainer-account system. It cannot be defended through a patch — it can only be defended through discipline in the relationship between identity and backup channel.
Who is affected?
A compact overview of affected and non-affected configurations.
| Configuration | Affected | Not affected / conditions |
|---|---|---|
TYPO3 sitepackage build with Vite or vue-cli, executed in the 11-hour window 14 May 03:00–14:00 UTC | When the lockfile contains node-ipc@9.1.6, 9.2.3 or 12.0.1, or the build ran npm install / npm ci against an unfrozen lockfile | Lockfile frozen at node-ipc@9.1.5 or older / 12.0.0 or older; build did not run in the 11-hour window |
| Sylius shop frontend with Webpack Encore and a Storybook component library | As above — transitive dependency via the Webpack watcher IPC and Storybook dev server | Lockfile pin on the clean line; or frontend build on a build machine that was offline in the window |
| Custom platform tooling (internal CLIs, Node maintenance scripts) | When the tooling ran npm install against an unfrozen lockfile in the window | Tooling stack freshly built from a Wolfi base image after 14 May 14:00 UTC |
| Build on GitHub-hosted runner (ubuntu-latest) | When the workflow ran in the 11-hour window and used unfrozen lockfiles or npm install (instead of npm ci) | npm ci with a lockfile pin on the clean line; workflow not triggered in the window |
| Build on a self-hosted runner with a local build cache | The build cache may carry the compromised line into subsequent runs — cache invalidation is mandatory | Cache volume is ephemeral (recreated per job); or cache explicitly flushed after 14 May 14:00 UTC |
Local developer workstations with node-ipc in the module graph | When the developer ran npm install in the window — the stealer payload executes on the first require | Workstation offline in the window; lockfile pin on the clean line |
| Kubernetes build platform with Wolfi-based Node images | When the Wolfi image ran an apk add npm-driven node-ipc update in the window (rare — Wolfi pins its own index line) | Wolfi index uses its own mirror, which was not updated within the registry window — no hit on the standard Wolfi line |
| Container builds with multi-stage and a Node build stage in the pipeline | When the build-stage layer was built in the window and the layer cache has not been invalidated | Layer cache created before 14 May 03:00 UTC and not refreshed since |
Anyone who ran multiple builds in the 11-hour window — typical for a TYPO3 tenant platform with frequent sitepackage pushes — has potentially executed the stealer several times, exfiltrating a fresh snapshot of the credential pool each time. We treat the estate operationally as “credentials leaked unless proven otherwise” and follow the audit path: lockfile inventory first, then hash audit of the package-lock.json estate, then build-host credential rotation, then pipeline token reissue.
Impact
The operational severity comes from three factors: the credential pool on a typical build host, the exfiltration path, and the structural mode of the attack.
The credential pool on a platform build host in the German Mittelstand is wide by experience. AWS access keys or Azure service principals for cloud deployments, GitHub CLI config with refresh token, SSH keys for tenant hosting targets, Kubernetes kubeconfig for cluster rollouts, Terraform state with cloud secrets, database passwords in CI variables, shell history with command-line-pasted tokens. The Datadog analysis of the payload lists more than 90 categories, including explicitly Claude AI and Kiro IDE settings — the stealer line has adapted to the reality of a contemporary developer workstation.
The exfiltration path is DNS TXT tunnelling, not HTTP/HTTPS. That is the operationally most uncomfortable layer of the episode: standard egress firewalls on cloud build hosts or self-hosted runner VLANs typically let DNS through because build tools need DNS for module resolution. A 500 KiB compressed archive generates roughly 29,400 DNS TXT queries to the lookalike domain — visible on a DNS query logging layer, but not in a standard firewall view. This is the same pattern known from DNS exfiltration research but rarely seen in a production npm stealer.
The structural mode is the biggest lesson. An attacker with the domain takeover as the only vector did not brute-force any account, did not steal any OAuth token, and did not find any security flaw in the registry. They walked the lookup path “email domain → mailbox → npm account recovery → publish right” cleanly. That makes the episode hard to address on the defender side: every defence layer would have to anchor the maintainer identity not in the email domain but in a second identity layer (hardware key, GPG signature, MFA backup-code discipline). In the npm ecosystem this is mostly not the standard today.
Business impact of a successful credential exfiltration on a tenant platform is in the worst case direct access to tenant cloud resources, deployment targets and tenant pipeline tokens. That is the lead-in for targeted follow-on attacks (lateral movement into the tenant environment, persistent backdoor installation), not full intrusion — but in a typical DACH platform setup with tenant-specific cloud sub-accounts the impact has to be assessed separately for each tenant.
Mitigation / immediate actions
Three paths, depending on pipeline discipline.
Path 1 — Lockfile audit and pin to the clean line
First layer: lockfile inventory across the entire tenant estate.
# Check all package-lock.json in the estate for node-ipc versions
find /path/to/projects -name "package-lock.json" -type f \
-exec sh -c '
for f; do
if grep -lE "\"node-ipc\":\s*\"(9\.1\.6|9\.2\.3|12\.0\.1)\"" "$f" > /dev/null; then
echo "HIT: $f"
fi
done
' sh {} +
# Check pnpm-lock.yaml / yarn.lock in parallel
grep -rEHn "node-ipc.*(9\.1\.6|9\.2\.3|12\.0\.1)" \
/path/to/projects --include="pnpm-lock.yaml" \
--include="yarn.lock" 2>/dev/null
On a hit, set the pin to the last clean line in package.json.
{
"overrides": {
"node-ipc": "9.1.5"
}
}
For pnpm:
# pnpm-workspace.yaml
overrides:
node-ipc: 9.1.5
Regenerate the lockfile and fix the override in the platform template until the maintainer line returns with a verified clean publish.
Path 2 — Invalidate build cache and module cache
The payload sits in the module graph. On every build host that ran in the window, the cache is potentially contaminated.
# Flush npm cache
npm cache clean --force
# Prune pnpm store
pnpm store prune
# Clean yarn cache
yarn cache clean
# Remove local node_modules across the board and reinstall
find /path/to/projects -name "node_modules" -type d -prune -exec rm -rf {} +
For GitHub Actions workflows, also invalidate the actions cache, because a cached node_modules layer can revive the payload on a subsequent run.
Path 3 — Credential rotation on affected build hosts
If a build ran in the 11-hour window and the stealer payload was therefore executed, the entire credential pool on the host must be treated as compromised.
# Rotate AWS access keys
aws iam create-access-key --user-name platform-build
aws iam delete-access-key --user-name platform-build --access-key-id <OLD>
# Regenerate SSH keys and remove the old public key from all tenant targets
ssh-keygen -t ed25519 -f ~/.ssh/platform_build_$(date +%Y%m%d) -N ''
# Rotate Kubernetes service account tokens
kubectl -n tenant-cluster delete secret build-sa-token
kubectl -n tenant-cluster create token build-sa --duration=24h
Token rotation at the cloud-provider level is tenant-scoped. If you run multiple tenant cloud sub-accounts in the platform, rotate per tenant and document the rotation in the tenant incident ledger.
Stopgap if the lockfile pin is not possible within the next 12 hours
Run builds temporarily with lifecycle scripts disabled:
# npm: install without postinstall scripts
npm ci --ignore-scripts
# pnpm
pnpm install --ignore-scripts
# yarn
yarn install --ignore-scripts
This variant also disables legitimate postinstall paths (for example native module builds for legacy node-sass or argon2 native builds), so it cannot run as a permanent solution. It buys time until the lockfile pin has cleared the platform pipeline.
Detection / verification
Three complementary paths.
Path 1 — SCA scan for the compromised versions
Standard SCA tools (Snyk, Socket, Dependabot, GitHub Security Advisories) have had the finding in their databases since 14 May 14:00 UTC. A fresh run against the tenant estate picks up the hits without further configuration.
# npm audit against the current database
npm audit --omit=dev
# Socket CLI for the external supply chain
socket scan create --repo your-org/your-repo --branch main
# Trivy filesystem scan against the source-code estate
trivy fs --severity HIGH,CRITICAL /path/to/projects/
The weakness of the SCA layer is timing. Anyone who ran the scan before 14 May 14:00 UTC did not find the result because the signature was not yet in the databases. The audit has to be run explicitly after 14 May 16:00 UTC to pick up the current signatures.
Path 2 — DNS query logs for the exfiltration pattern
Exfiltration runs via DNS TXT queries to the lookalike domainsh.azurestaticprovider.net with routing zone bt.node.js and query prefixes xh, xd, xf. DNS egress logging on the build hosts or at the recursive resolver layer catches the hits.
# Check bind/unbound query log for the pattern
grep -E "(azurestaticprovider\.net|\.bt\.node\.js)" \
/var/log/named/query.log \
| awk '{print $1, $2, $5, $7}'
# systemd-resolved log via journalctl
journalctl -u systemd-resolved \
--since "2026-05-14 03:00:00" \
--until "2026-05-15 00:00:00" \
| grep -E "azurestaticprovider"
Path 3 — Falco rule for DNS exfiltration patterns on CI runners
Self-hosted runners with Falco can observe egress DNS queries via a custom rule.
# /etc/falco/rules.d/node-ipc-dns-exfil.yaml
- macro: dns_exfil_target_domains
condition: >
(fd.sip.name contains "azurestaticprovider.net" or
fd.sip.name contains ".bt.node.js")
- rule: DNS exfiltration to node-ipc supply chain attacker domain
desc: Process resolves attacker-controlled domains used in node-ipc compromise (May 2026)
condition: >
evt.type in (sendto, sendmsg) and
fd.l4proto = udp and
fd.sport = 53 and
dns_exfil_target_domains
output: >
DNS exfiltration target hit: cmdline=%proc.cmdline target=%fd.sip.name
priority: CRITICAL
tags: [node-ipc, supply-chain, dns-exfil, may-2026]
For Kubernetes-driven platforms with a Cilium-Hubble stack the pattern can be observed in parallel as a Tetragon TracingPolicy. The reproduction is trivial — and dangerous. Anyone who wants to reproduce the payload must install the module in a fully isolated sandbox (no network egress, no credential pool on the host, a dedicated VM with a snapshot reset). Reproduction on a platform build host or a tenant CI pipeline is not acceptable, because the stealer scans the host comprehensively.
Operator recommendation
The operational question is not “which lockfile do we pin to which version?” but “which maintainer-identity discipline do we keep ready against the next comparable domain takeover?”. The node-ipc episode is an administratively clean account takeover. It will find imitators, and the next domain is the next weekly disclosure.
Operational Decision Block — immediate rotation vs. lockfile audit
- Rotate immediately when the tenant platform build ran a fresh
npm install/pnpm install/yarn installagainst an unfrozen lockfile in the 11-hour window 14 May 03:00–14:00 UTC andnode-ipc(directly or transitively) was in the module graph. - Lockfile audit in the 24-hour corridor when lockfiles in the platform estate were frozen and no
npm installwith lockfile update ran — the pin to the clean line is enough; rotation on a suspicion basis only on build hosts with an unclear history. - Awareness only when the tenant platform runs only PHP/Composer build pipelines and there is no Node frontend build in the stack — the episode stays on the skip list for the tenant architecture review.
- Maintenance window in the standard cycle is possible when the frontend build runs on a Wolfi base with its own Wolfi index that did not pass through the registry window — the pin is still recommended as a precaution.
German Mittelstand
Run a lockfile audit across all TYPO3 sitepackage repos and Sylius shop repos in the tenant estate. npm audit with an updated database signature (after 14 May 16:00 UTC), pin to node-ipc@9.1.5 or 12.0.0 as an override in package.json, cache invalidation on all build hosts. Build-host credential rotation on the machines that ran an npm install without a lockfile pin in the window — reissue AWS/Azure/GCP keys, SSH keys, Kubernetes tokens and GitHub CLI configs. A tenant awareness note for every tenant with an independent frontend build corridor; the GDPR follow-up assessment is tenant-scoped because the exfiltrated credentials may have covered tenant-specific cloud resources.
Enterprise
In addition to the Mittelstand line: SCA tool rescan across the entire build pipeline corpus, maintainer-identity audit across the curated npm dependency list, DNS egress filter on the CI build hosts (egress whitelist on registry mirrors and cloud API endpoints, all other DNS queries to a separate audit layer). Pre-receive hook on the central GitHub Enterprise server against lockfile drift in PRs, blocking any node-ipc@9.1.6/9.2.3/12.0.1 as a hard block.
Kubernetes platform
Anyone operating Actions Runner Controller (ARC) or Tekton as a CI platform has the advantage of central runner image definitions. Image promotion to a Wolfi base with a frozen Wolfi index that did not pass through the registry window — Helm chart pin to the runner image tag with a fixed Wolfi state. Roll out the Falco rule from the detection section cluster-wide; deploy a Tetragon policy in parallel on cluster platforms with a Cilium-Hubble stack.
- Sub-scenario ARC with curated Node images: lockfile pin in addition to the image pin, so that an accidental
npm installwithout a lockfile pin does not pull in the compromised state. - Sub-scenario Tekton pipelines with an
npm-cistep: set--ignore-scriptsas a default flag in the pipeline template until the maintainer line returns with a verified clean publish.
Declarative stacks (NixOS / Talos / Flatcar / Wolfi)
NixOS and Wolfi packages pin the index at build time. Anyone who froze the index before 14 May 03:00 UTC is not affected by default. Anyone who pulls the index dynamically (for example a nixos-unstable channel sync in the window) is potentially affected and must roll back the channel snapshot. Wolfi builds with a private npm mirror are not affected by default; Wolfi builds that pull directly from the public npm registry have to be treated like any other build host. Self-hosted runners on a Talos or Flatcar base inherit the pin with image promotion to a declaratively pinned Node line.
What we actually did
We ran four disciplines on 15 May 2026 between 06:00 and 09:00 CEST.
First the lockfile inventory: scanned every active TYPO3 sitepackage repo and Sylius shop repo in the tenant platforms via find plus grep across package-lock.json, pnpm-lock.yaml and yarn.lock. 31 repos came out, 27 of them with node-ipc in the transitive module graph (Webpack Encore in Sylius frontends, Vite in TYPO3 sitepackages, Storybook in two platform component libraries). In three repos the lockfiles already contained node-ipc@9.2.3 — the build host had run an automatic npm install for a TYPO3 sitepackage update run in the 11-hour window between 14 May 03:00 and 14:00 UTC.
Then immediate rotation on the three affected build hosts: reissued AWS IAM user access keys, rotated GitHub CLI configs (OAuth tokens revoked and reissued), replaced SSH keys on the tenant hosting targets (removed the old public keys from the tenants' authorized_keys), reissued Kubernetes service-account tokens for the affected tenant clusters. Sent tenant awareness notes to the three tenants whose platform repo was affected — with the specific time window, the affected credentials, and the state of rotation. Three tenant-specific incident ledgers opened.
Then the lockfile pin: switched all 27 repos with node-ipc in the graph to a platform override in package.json pinning node-ipc to 9.1.5 or 12.0.0. Merged the platform team's pull requests in cohorts (5 repos per cohort), with a 30-minute observation window between cohorts so an accidental pipeline break would not stop the entire estate at once. Added the override block to the platform workflow template (.github/workflow-templates/node-build.yml) so the pin will apply automatically to future repo creations as well.
Finally the detection stage: activated the Falco rule DNS exfiltration to node-ipc supply chain attacker domain on two cluster platforms running ARC pools. Rolled out the Tetragon policy in a third cluster platform (a tenant-owned platform cluster with a Cilium-Hubble stack). Ran a DNS egress logging audit across all platform build hosts for the 11-hour window — no hits on the lookalike domain, the detection pattern stays in place as a vigilance layer for the next wave.
The structural lesson from this episode does not sit in the lockfile pin, but in the relationship between maintainer identity and mail-domain lifecycle. The atlantis-software.net domain expired on 6 May 2026; six days later an attacker had re-registered the domain and set up mail infrastructure; seven days later the first stealer payload sat in the npm registry. That is the structural class in which the supply-chain layer stands today, after Mini-Shai-Hulud and the Composer token leak: not compromised by malicious code, but through a forgotten domain renewal date as an authentication root. In the last two weeks we have seen three different classes — memory extraction (Mini-Shai-Hulud, 11/12 May), diagnostic output (Composer, 14 May) and now domain lifecycle (node-ipc, 15 May). The number of possible vectors is growing faster than defensive discipline.
In the broader architecture arc the answer is not a single patch, but curated supply-chain discipline as its own platform component. The lockfile pin in the workflow file is the emergency measure. The structural answer is a curated Wolfi line with its own npm mirror, an SBOM generated per build (CycloneDX or SPDX), and a maintainer-identity audit layer. Three disciplines that would not individually have prevented the node-ipc incident but that together reduce the impact surface of a comparable incident to minutes rather than hours.
Frequently asked questions about the node-ipc supply-chain incident (May 2026)
Do TYPO3 sitepackage builds with Vite have to be reworked immediately because of the node-ipc incident?+
Yes, if the lockfile ran an npm install / pnpm install without a lockfile pin to a clean line in the 11-hour window 14 May 2026 03:00–14:00 UTC. The lockfile audit for node-ipc@9.1.6, 9.2.3 or 12.0.1 is the direct detection; the override pin to 9.1.5 or 12.0.0 in package.json is the direct mitigation. Anyone who froze lockfiles and did not run a lockfile update in the window is not affected — but the platform template still has to set the override for the next 30-day period until the maintainer line returns clean.
How do I check whether my Sylius frontend build with Webpack Encore is affected?+
Search the package-lock.json in the Sylius frontend repo for node-ipc — Webpack Encore pulls node-ipc transitively through the Webpack dev server. On a hit, delete the local node_modules, run npm cache clean --force, set the lockfile pin in package.json, then npm ci with the updated lockfile. If you set up Webpack Encore via Symfony Flex, the frontend build corridor lives in a separate sub-directory (assets/); the audit has to run there as well.
Do Wolfi-based Node container builds have to be rebuilt because of the node-ipc incident?+
Wolfi-based node containers close the finding through their own Wolfi index, which does not pass the public npm registry through — anyone building only from the Wolfi mirror is not affected. Anyone using Wolfi as a base but running npm install against the public registry inside the container (a common CI setup) is affected the same as any other build host and must apply the lockfile pin plus the cache invalidation. An image rebuild on a current Wolfi tag is mandatory if the container ran an image build with npm install in the 11-hour window.
Is the node-ipc incident structurally related to the Composer token leak from 14 May?+
Structurally in part, operationally yes. Both incidents sit on the supply-chain frontline and both target CI pipelines. The Composer token leak from 14 May exfiltrates GITHUB_TOKEN values through diagnostic output; node-ipc exfiltrates the entire credential pool of a build host through DNS TXT tunnelling. Anyone who took the Composer pin today and runs the node-ipc lockfile audit in parallel addresses two different classes of the supply-chain frontline together.
Which lockfile discipline best defends against comparable future incidents?+
A lockfile pin to a verified line plus a lockfile-drift pre-receive hook on the central Git server. The pin prevents an npm install without a lockfile update from pulling in the compromised state; the pre-receive hook prevents an accidental lockfile update from feeding the compromised state into the tenant estate. Additionally: SCA scan discipline after every lockfile update (Snyk, Socket, Dependabot with active signature updates) and SBOM generation per build for tenant-scoped reconstruction in case of suspicion.
When is node-ipc likely to be available again from a verified maintainer identity?+
As of 15 May 2026 09:00 CEST the node-ipc maintainer account on npm is locked; a return discipline (hardware-key publishing, GPG signature, MFA backup-code discipline) is a precondition for the next clean publish. We recommend the override pin to 9.1.5 or 12.0.0 for at least 30 days, until the maintainer line returns verified. The next publish should be checked against the SBOM diff on the platform audit layer before it lands in the tenant estate.
Conclusion
The node-ipc incident is not a technical showpiece on the attacker's calendar. No new exploit, no zero-day flaw in the registry, no creative technique. What makes the finding operationally serious is the structural weakness in maintainer-identity discipline combined with the DNS egress corridor on typical build hosts. Eleven hours of stealer live-time in the registry, a domain-recovery path as the only authentication root, and a supply-chain frontline that today moves more transitive dependencies than any classical library strategy of the past decade.
The question is not whether the override pin to 9.1.5 is enough. It is enough for the concrete path that node-ipc closed on 14 May. The question is whether your platform runs maintainer-identity discipline as its own component, or whether maintainer identities continue to drift through tenant pipelines as a “module detail”. The structural answer is the first option: a curated Wolfi line, an SBOM per build, a maintainer-identity audit across the top 200 transitive dependencies, and a DNS egress discipline that does not depend on the next Falco hit.
We inventory, rotate and audit production Node/npm build pipelines against the node-ipc supply-chain incident.
Lockfile audit across all TYPO3 sitepackage and Sylius shop repos, override pin to the clean line in package.json, cache invalidation on build hosts, credential rotation on affected build hosts in the 11-hour exposure window, DNS egress audit for the lookalike-domain pattern, SBOM generation per build as a curated platform component.
If you operate TYPO3 or Sylius platforms in the German Mittelstand, run npm as a frontend build layer, or are responsible for a curated Node container line — let's talk before the next domain-lifecycle move triggers the next stealer. Book a slot directly, or take a look at our standard line for DevSecOps platform operations and TYPO3 platform operations first.
![[Translate to English:] Foto von Kai Ole Hartwig.](/fileadmin/_processed_/e/9/csm_ole-neu_73323ad80d.jpeg)
![[Translate to English:] Zwei identisch versiegelte cremefarbene Pergament-Briefumschläge mit oxblutfarbenen Wachssiegeln auf glattem Beton; der rechte Umschlag ist trotz intakten Siegels seitlich aufgeschlitzt und gibt einen abweichenden Briefinhalt frei. Daneben eine messingfarbene Juwelierlupe und ein einzelner oxblutfarbener Baumwollfaden, der aus dem Bild führt, in kühlem Nordlicht.](/fileadmin/_processed_/7/0/csm_929374f5deba3a060cbcc336c9591d68fea031bf076ca37229528d7d144c109d_24902d65ee.jpg)