🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog:

New Model 3 Performance launching today 🏎️ → 0-60 mph in 2.9 510 hp / 741 Nm 163 mph top speed — Performance-tuned chassis Same quiet & comfortable cabin plus bespoke chassis hardware for improved stiffness and higher performance baseline. More power, lower energy consumption New Performance 4th gen drive unit can deliver: +22% continuous power +32% peak power +16% peak torque compared to previous Model 3 Performance. All with lower total energy consumption! Forged & staggered 20" wheels + Pirelli P Zero 4 tires Better traction out of corners while limiting traction control interventions. Also, better comfort, lower rolling resistance & increased range. Better Track Mode Track Mode V3 now integrates motor controls, suspension controls, powertrain cooling, & our Vehicle Dynamics Controller (VDC) under a single, unified system. This gives you a more predictable, stable & consistent experience in various track environments. New Adaptive Damping system Adjusts to driver & road inputs in real time to optimize ride & handling, while also improving ride comfort. Controlled via in-house software, which means it keeps improving via future over-the-air software updates. More aerodynamic exterior design 5% reduced drag, 36% lift reduction & 55% improvement in front-to-rear lift balance compared to previous Model 3 Performance. New Sports Seats Same functionality & comfort as before, but with much better lateral support for cornering & dynamic driving

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected:

The CoinDesk 20 is currently trading at 2110.57, up 0.5% (+11.5) since 4 p.m. ET on Friday. Eleven of 20 assets are trading higher. Leaders: $TAO (+4.1%) and $LINK (+2.7%). Laggards: $NEAR (-2.9%) and $BCH (-2.1%).

Here are the largest holdings in the S&P 500 Nvidia $NVDA 8.4% Apple $AAPL 6.8% Microsoft $MSFT 4.8% Amazon $AMZN 4.2% Alphabet $GOOGL 3.6% Broadcom $AVGO 3.2% Alphabet $GOOG 2.9% Meta $META 2.1% Tesla $TSLA 2.0% Micron $MU 1.4% Berkshire Hathaway $BRK.B 1.4%

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

In Europe*, 1.4k Tesla sales were reported for the week of April 27 to May 3. 🇪🇺 This is +26.3% WoW and +2.9% compared to the same week last year. This has been second best week of the quarter so far. The quarter after 5 weeks is +32.0% QoQ and +24.4% YoY. YTD sales are +16.6% year-over-year. This is the second-best quarter out of the last five so far. * Data from the daily/weekly reporting countries UK, Norway, Netherlands, Sweden, Denmark, Italy, Spain, Switzerland, Czech Republic, Iceland (~60% of Tesla sales in Europe)

US labor productivity kept rising in Q1, but more slowly. Output per hour for nonfarm workers increased at a 0.8% annual rate, down from 1.6% in Q4. Compared w/a year earlier, however, productivity was up 2.9%; the biggest gain since 2024. Productivity has been on a strong run since 2023. JPMorgan cautions against attributing too much of this strength to AI, noting it’s still early. Still, ongoing business investment in AI could help sustain the trend. Faster productivity growth may also be helping to contain unit labor costs, which rose just 1.2% YoY; suggesting limited wage-driven inflation pressure.

🔥 $迷你屎壳郎 is on Fire! 🚀 CA: 0x0732f5b2c9035f6491484e0960209ac467787777 Check Chart - Signal: 📈 5m | 1h | 6h: -1.32% | -6.90% | 22.99% 🎲 TXs/Vol: 626/$13.05K 💡 MCP: $35.03K 💧 Liq: $16.42K 👥 Holders: 499 ✅ Honeypot / ✅ Verified / ✅ Locked/ ✅ Renounced TOP 10: 18.0% Insiders: 0.00% Phishing: 2.9% 🔥Trending Group: #Degen# #NewGem#