By falco365 · Published May 14, 2026

node-ipc npm (TeamPCP): DNS tunnel exfiltration via bt.node[.]js, tpcp.tar.gz packaging, and AI tool hook injection

The npm node-ipc package — versions 9.1.6, 9.2.3, and 12.0.1 — contains a heavily obfuscated credential-stealing payload with multiple TeamPCP attribution markers: tpcp.tar.gz archive naming, docs-tpcp GitHub fallback channel, and Fisher-Yates string shuffle matching prior campaign tooling. The distinguishing operational feature is DNS-based exfiltration: credentials are split into label-sized chunks and exfiltrated as DNS queries to bt.node[.]js via a non-standard resolver (sh.azurestaticprovider[.]net:443), bypassing domain blocklists that focus on HTTP/HTTPS C2.

node-ipc npm (TeamPCP): DNS tunnel exfiltration via bt.node[.]js, tpcp.tar.gz packaging, and AI tool hook injection
Analysis

The npm node-ipc package — a widely used inter-process communication library — contains a highly obfuscated credential-stealing payload in versions 9.1.6, 9.2.3, and 12.0.1. Multiple indicators align with TeamPCP-attributed campaigns: a docs-tpcp or tpcp-docs GitHub fallback channel, a custom ustar tar archiver that writes tpcp.tar.gz, and a Fisher-Yates string-shuffle obfuscation matching prior campaign tooling.

The operationally significant capability in this payload is DNS-based exfiltration. Rather than posting to an HTTP/HTTPS C2 endpoint, the payload splits the encrypted credential bundle into label-sized chunks and exfiltrates via DNS A, AAAA, and TXT queries to bt.node[.]js subdomains, routing through an attacker-controlled resolver at sh.azurestaticprovider[.]net:443. Standard network egress monitoring that blocks known C2 domains cannot detect or block DNS tunnel exfiltration without dedicated DNS anomaly detection.

Obfuscation: Fisher-Yates string shuffle

Every string literal in the payload is hidden behind a custom lookup table and a Fisher-Yates style shuffle implemented in the _0x1a49 decoder operating on the _0x3bc9ff encoded-string array. The decoded values include targeting selectors like AWS_ACCESS_KEY_ID, OPENAI_API_KEY, and KUBERNETES_SERVICE_HOST.

This obfuscation approach — Fisher-Yates shuffle of a string array with a keyed decoder — is a consistent artifact across multiple TeamPCP payloads. It is not a generic off-the-shelf obfuscator; it is a specific implementation that serves as a toolchain fingerprint.

Collection scope: AI API keys as first-class targets

The payload explicitly targets AI service credentials alongside standard developer tooling:

  • AI API keys: OPENAI_API_KEY, Anthropic API keys
  • Cloud tokens: AWS access keys and session tokens, Azure credentials, Google Cloud credentials
  • SSH private keys
  • /etc/hosts, process.env, uname -a
  • .git checkouts, node_modules, developer configuration files in the home directory

Targeting Anthropic API keys specifically — not just OpenAI — reflects the operator's awareness that Claude API credentials have immediate monetization value.

tpcp.tar.gz packaging

Collected files are staged under tmpdir() as per-collector artifacts (envs.txt, uname.txt, etc.) and bundled by a hand-rolled tar implementation. The hardcoded 0000644 octal mode field and ustar magic identify the archiver. The archive is named tpcp.tar.gz — the same naming that appeared in the litellm PyPI payload (March 2026) and is the TeamPCP Layer 1 self-attribution marker in the packaging artifact. Each archive is signed with HMAC-SHA-256 before exfiltration.

DNS tunnel exfiltration

The DNS exfiltration channel routes through the attacker-controlled resolver sh.azurestaticprovider[.]net:443 rather than the host's configured DNS. This bypasses corporate DNS resolvers that might log or block queries to attacker infrastructure. The payload splits the encrypted bundle into label-sized chunks and issues resolve4, resolve6, and resolveTxt lookups against subdomains of bt.node[.]js:

Query pattern: <xh|xd|xf>.<machineId>.<sessionId>.<signature>.<chunkIndex>.<payload>.bt.node[.]js

Prefixes: xh (header), xd (data), xf (footer). Each chunk is transformed with SHA-256 and HMAC-SHA-256 derived material plus a base64 alphabet substitution. The hardcoded HMAC signing key is qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi.

Detection of this channel requires DNS query analysis for subdomains of bt.node[.]js or for resolve4/6/TXT calls being issued to sh.azurestaticprovider[.]net rather than the configured system resolver.

Persistence, propagation, and AI tool hook injection

The payload uses child_process.fork to re-spawn itself as a detached process so the activity survives the parent shell exit. When loaded as a module, it overwrites the host application's exports and hooks its entry function.

Propagation targets: ~/.npmrc for npm publish token theft; PyPI credential stores for cross-registry spread. Downstream npm packages accessible via stolen .npmrc tokens are republished with the malicious payload injected.

Notably, the payload injects hooks into .claude/settings.json and VS Code configuration directories to influence AI coding assistants. This is a new vector in the TeamPCP cluster: targeting the AI coding assistant's configuration file (Claude Code's settings.json) to inject persistent hooks that survive across coding sessions — the same post-uninstall persistence mechanism documented in the Mini Shai-Hulud TanStack/Mistral wave.

Indicators of compromise

Affected npm versions: node-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1

Filesystem artifacts:

  • tpcp.tar.gz in system temporary directory
  • envs.txt, uname.txt under tmpdir()

Network indicators (defanged):

  • sh.azurestaticprovider[.]net:443 — attacker-controlled DNS resolver
  • bt.node[.]js — exfiltration domain suffix
  • DNS query pattern: <xh|xd|xf>.<machineId>.<sessionId>.<signature>.<chunkIndex>.<payload>.bt.node[.]js

Code-level signatures:

  • Decoder function: _0x1a49; encoded string array: _0x3bc9ff
  • Tar header: hardcoded 0000644 octal mode, ustar magic
  • HMAC signing key: qZ8pL3vNxR9wKmTyHbVcFgDsJaEoUi
  • DNS label prefixes: xh, xd, xf

GitHub artifacts:

  • docs-tpcp or tpcp-docs repository created in victim GitHub organization
  • Unexpected modifications to ~/.npmrc, .claude/settings.json, or VS Code configuration directories after package import
Remediation
  • Remove affected versions immediately. Pin to a verified clean release; run npm cache clean --force.
  • Treat any host that imported an affected version as compromised. Rotate cloud credentials, AI API keys (OpenAI, Anthropic), GitHub and npm tokens, and SSH keys.
  • Audit GitHub organizations for docs-tpcp or tpcp-docs repositories. Existence confirms successful exfiltration.
  • Inspect .claude/settings.json and VS Code configuration on affected hosts for unexpected hook entries before resuming AI-assisted development.
  • Enable DNS anomaly detection for bt.node[.]js subdomains and DNS queries to non-standard resolvers from Node.js processes.
Criminal-market signal

No dark-web presence for node-ipc malicious versions or bt.node[.]js infrastructure has been observed. The TeamPCP operator-run pattern confirmed across the cluster applies. H2 (operator-run, no commodity market) is the most probable assessment.

Threat Profile
Campaign
Team PCP
First seen
May 14, 2026
Sectors
Node.js developers, CI/CD infrastructure, AI/ML tooling (OpenAI, Anthropic API keys targeted)
Regions
Global
Sources
Datadog GuardDog detection
Datadog Security Research: node-ipc card
TeamPCP campaign tracking — this hub
Detection artifacts
View on GitHub →
Related analyses
Mini Shai-Hulud @antv wave: 640 compromised npm package versions across 320+ charting and visualization packages
Bitwarden CLI (@bitwarden/cli 2026.4.0): downstream victim of Checkmarx campaign, 'Shai-Hulud: The Third Coming' branding, Russian-locale kill switch
Megalodon: automated campaign backdoors 5,500+ GitHub repositories through CI workflow injection

Application security research.

ops@keepsecure.io

Quick Links
About ResearchHub Contact
Elsewhere
GitHubLinkedInX / Twitter
RSS

© 2026 keepsecure labs