The various types of communication technologies and mobility features in IoT on one hand enable fruitful and attractive applications, but on the other hand facilitate malware propagation, thereby raising new challenges in handling IoT-empowered malware for cyber security. Compared to the malware propagation control scheme in traditional wireless networks, where nodes can be directly repaired and secured, in IoT, compromised end devices are difficult to patch. Alternatively, blocking malware via patching intermediate nodes turns out to be a more feasible and practical solution. Specifically, patching intermediate nodes can effectively prevent the proliferation of malware propagation by securing infrastructure links and limiting malware propagation to local device-to-device dissemination. This article proposes a novel traffic-aware patching scheme to select important intermediate nodes to patch, which applies to the IoT system with limited patching resources and response time constraint. Experiments on real-world trace datasets in IoT networks are conducted to demonstrate the advantage of the proposed traffic-aware patching scheme in alleviating malware propagation.