Security

Supply chain attack: node-ipc sabotaged as anti-war “protestware”

Leave a comment

Update March 17: This post has been getting a lot of traffic from one of the notorious news “scrapers”.

Pierluigi Paganini first copied this post verbatim on March 16th to a site called malwaredefinition.com, then rewrote it slightly March 17th changing the title to “node-ipc NPM Package sabotage to protest Ukraine invasion”. That version also used a reference to an article written tomorrow (March 18th) calling it the first appearance.

The post node-ipc NPM Package sabotage to protest Ukraine invasion appeared first on Security Affairs

That’s obviously suspect, given how a March 17th article couldn’t possibly come after the March 18th one.

And then his March 18th write-up certainly didn’t come after this March 16th one, which he removed from his references… anyway, back to the story.

The node-ipc package maintainer (Brandon Nozaki Miller in Monterey, California) intentionally sabotaged it around March 14th causing downstream failures.

The Snyk vulnerability database declared it critical.

Note: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior.

CVE-2022-23812 provides a stark summary of what happened to those affected by the sabotage.

This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji.

Overwriting files is hardly an act of peace.

On March 8th the “peacenotwar” module was submitted describing itself as an act of “protestware”.

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now.

On March 10th an issue was opened requesting help with messaging and ended with this excited prediction of impact.

Planning on using this in the CommonsJS release which is the big one. Should be like half a million messages delivered in a day or two.

More about Brandon Miller from his YouTube channel:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.