Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published via a compromised npm account and contain an active credential-harvesting backdoor targeting 90 secret categories including AWS, Azure, GCP, GitHub, Kubernetes, and SSH credentials. The payload uses dual-channel exfiltration over HTTPS and DNS TXT queries and evades standard lifecycle-hook monitoring by embedding directly in the package core module. Any organization with node-ipc or vue-cli in its dependency tree should treat affected build environments as compromised.