RIAEvangelist, the developer behind the popular “node-ipc” NPM package, shipped a new version that wipes Russia, Belarus systems to protest Russia’s invasion of Ukraine.
The Node-ipc node module allows local and remote inter-process communication with support for Linux, macOS, and Windows. It has over 1 million weekly downloads.
Versions 10.1.1 and 10.1.2 of the library wipe the content of arbitrary files and replace it with a heart emoji.
“This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package. This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.” reads the analysis published by security firm Synk. “A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus.”
Experts tracked the problem with the CVE-2022-23812, further investigation revealed that the wiping behavior was implemented on March 7 (version 10.1.1), and a second update took place 10 hours later (version 10.1.1).
The wiper code was removed from the package with release 10.1.3. Later RIAEvangelist released a major update (version 11.0.0), which imported another dependency called “peacenotwar” released as form of “non-violent protest against Russia’s aggression.”
“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” reads the description for the code.
“Any time the node-ipc module functionality gets called, it prints to STDOUT a message taken out of the peacenotwar module, as well as places a file on the user’s Desktop directory with contents relating to the current war-time situation of Russia and Ukraine,” continues the analusis.
Version node-ipc 11.1.0 released on March 15, 2022 imports the “peacenotwar” package version from 9.1.3 to 9.1.5 and bundles the “colors” NPM library, while it doesn’t include the STDOUT console messages.
Researchers noticed that npm package colors, and faker have been intentionally abused and corrupted by its npm package maintainer Marak in January.
This mode of protest opens up disturbing scenarios, activists could exploit other supply chain attacks to compromise and destroy target systems.
“Snyk stands with Ukraine and we’ve proactively acted to support the Ukrainian people during the on-going crisis with donations and free service to developers world-wide, as well as taking action to cease business in Russia and Belarus.” conclude the experts.”That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”
(SecurityAffairs – hacking, node-ipc)