Security News > 2022 > March > Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion

In what's yet another act of sabotage, the developer behind the popular "Node-ipc" NPM package shipped a new version to protest Russia's invasion of Ukraine, raising concerns about security in the open-source and the software supply chain.

Affecting versions 10.1.1 and 10.1.2 of the library, the changes introduced undesirable behavior by its maintainer RIAEvangelist, targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing it with a heart emoji.

"A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus," Synk researcher Liran Tal said in an analysis.

Interestingly, although the destructive payload was removed from the library with version 10.1.3, a major update was pushed after less than four hours, which imported another dependency called "Peacenotwar," also released by RIAEvangelist as form of "Non-violent protest against Russia's aggression."

"Any time the node-ipc module functionality gets called, it prints to STDOUT a message taken out of the peacenotwar module, as well as places a file on the user's Desktop directory with contents relating to the current war-time situation of Russia and Ukraine," Tal explained.

As of March 15, 2022, the latest version of node-ipc - 11.1.0 - bumps the "Peacenotwar" package version from 9.1.3 to 9.1.5 and bundles the "Colors" NPM library, while also removing the STDOUT console messages.

News URL

https://thehackernews.com/2022/03/popular-npm-package-updated-to-wipe.html