diff --git a/package.json b/package.json
index 29fea8a..5484ba1 100644
--- a/package.json
+++ b/package.json
@@ -815,7 +815,7 @@
       "hosted-git-info": "8.1.0",
       "isexe": "3.1.1",
       "lru-cache": "11.2.2",
-      "minimatch": "9.0.5",
+      "minimatch": "9.0.6",
       "minipass": "7.1.3",
       "minipass-fetch": "4.0.1",
       "minipass-sized": "1.0.3",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 4981b13..e5fa61b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -22,7 +22,7 @@ overrides:
   hosted-git-info: 8.1.0
   isexe: 3.1.1
   lru-cache: 11.2.2
-  minimatch: 9.0.5
+  minimatch: 9.0.6
   minipass: 7.1.3
   minipass-fetch: 4.0.1
   minipass-sized: 1.0.3
@@ -2463,8 +2463,8 @@ packages:
     resolution: {integrity: sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==}
     engines: {node: '>=10'}
 
-  minimatch@9.0.5:
-    resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==}
+  minimatch@9.0.6:
+    resolution: {integrity: sha512-kQAVowdR33euIqeA0+VZTDqU+qo1IeVY+hrKYtZMio3Pg0P0vuh/kwRylLUddJhB6pf3q/botcOvRtx4IN1wqQ==}
     engines: {node: '>=16 || 14 >=14.17'}
 
   minimist@1.2.8:
@@ -3615,7 +3615,7 @@ snapshots:
     dependencies:
       '@eslint/object-schema': 2.1.7
       debug: 4.4.3(supports-color@10.2.2)
-      minimatch: 9.0.5
+      minimatch: 9.0.6
     transitivePeerDependencies:
       - supports-color
 
@@ -3634,7 +3634,7 @@ snapshots:
       ignore: 5.3.2
       import-fresh: 3.3.1
       js-yaml: 4.1.1
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       strip-json-comments: 3.1.1
     transitivePeerDependencies:
       - supports-color
@@ -3839,7 +3839,7 @@ snapshots:
       hosted-git-info: 8.1.0
       json-stringify-nice: 1.1.4
       lru-cache: 11.2.2
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       nopt: 8.1.0
       npm-install-checks: 7.1.2
       npm-package-arg: 12.0.2
@@ -3888,7 +3888,7 @@ snapshots:
       '@npmcli/name-from-folder': 4.0.0
       '@npmcli/package-json': 7.0.0
       glob: 13.0.6
-      minimatch: 9.0.5
+      minimatch: 9.0.6
 
   '@npmcli/metavuln-calculator@9.0.3(supports-color@10.2.2)':
     dependencies:
@@ -4219,7 +4219,7 @@ snapshots:
   '@tufjs/models@4.1.0':
     dependencies:
       '@tufjs/canonical-json': 2.0.0
-      minimatch: 9.0.5
+      minimatch: 9.0.6
 
   '@types/cacheable-request@6.0.3':
     dependencies:
@@ -4820,7 +4820,7 @@ snapshots:
       is-glob: 4.0.3
       json-stable-stringify-without-jsonify: 1.0.1
       lodash.merge: 4.6.2
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       natural-compare: 1.4.0
       optionator: 0.9.4
     optionalDependencies:
@@ -4964,7 +4964,7 @@ snapshots:
     dependencies:
       foreground-child: 3.3.1
       jackspeak: 3.4.3
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       minipass: 7.1.3
       package-json-from-dist: 1.0.1
       path-scurry: 1.11.1
@@ -4973,14 +4973,14 @@ snapshots:
     dependencies:
       foreground-child: 3.3.1
       jackspeak: 4.2.3
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       minipass: 7.1.3
       package-json-from-dist: 1.0.1
       path-scurry: 2.0.2
 
   glob@13.0.6:
     dependencies:
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       minipass: 7.1.3
       path-scurry: 2.0.2
 
@@ -5059,7 +5059,7 @@ snapshots:
 
   ignore-walk@8.0.0:
     dependencies:
-      minimatch: 9.0.5
+      minimatch: 9.0.6
 
   ignore@5.3.2: {}
 
@@ -5336,7 +5336,7 @@ snapshots:
 
   mimic-response@3.1.0: {}
 
-  minimatch@9.0.5:
+  minimatch@9.0.6:
     dependencies:
       brace-expansion: 5.0.5
 
@@ -6038,7 +6038,7 @@ snapshots:
   type-coverage-core@2.29.7(typescript@5.9.2):
     dependencies:
       fast-glob: 3.3.3
-      minimatch: 9.0.5
+      minimatch: 9.0.6
       normalize-path: 3.0.0
       tslib: 2.8.1
       tsutils: 3.21.0(typescript@5.9.2)
diff --git a/src/ipc.ts b/src/ipc.ts
index 9677fcd..d556f45 100644
--- a/src/ipc.ts
+++ b/src/ipc.ts
@@ -269,8 +269,9 @@ async function ensureIpcDirectory(filePath: string): Promise<void> {
   const fs = getFs()
   const path = getPath()
   const dir = path.dirname(filePath)
-  // Create directory recursively if it doesn't exist.
-  await fs.promises.mkdir(dir, { recursive: true })
+  // Use restrictive permissions (owner-only) to prevent other users
+  // from reading or writing IPC stub files.
+  await fs.promises.mkdir(dir, { recursive: true, mode: 0o700 })
 }
 
 /**
@@ -326,11 +327,12 @@ export async function writeIpcStub(
 
   // Write with pretty printing for debugging.
   const fs = getFs()
-  await fs.promises.writeFile(
-    stubPath,
-    JSON.stringify(validated, null, 2),
-    'utf8',
-  )
+  // Use restrictive permissions (owner-only read/write) to prevent
+  // other users on the system from reading sensitive IPC data.
+  await fs.promises.writeFile(stubPath, JSON.stringify(validated, null, 2), {
+    encoding: 'utf8',
+    mode: 0o600,
+  })
   return stubPath
 }
 
@@ -442,7 +444,9 @@ export async function cleanupIpcStubs(appName: string): Promise<void> {
               // File is stale if EITHER check indicates staleness
               isStale = isStale || contentAge > maxAgeMs
             } catch {
-              // If we can't read/parse the file, rely on mtime check
+              // If we can't read/parse the file, treat it as stale
+              // to prevent accumulation of corrupted stub files.
+              isStale = true
             }
 
             if (isStale) {