Last Updated on 21/03/2022 by Nidhi Khandelwal
The developer of the popular “node-ipc” NPM package published a new modified version to denounce Russia’s invasion of Ukraine, sparking concerns about open-source and software supply chain security.
The adjustments made by the library’s maintainer RIAEvangelist, which affected versions 10.1.1 and 10.1.2, caused unwanted behavior by targeting users with IP addresses in Russia or Belarus and erasing arbitrary file contents and replacing them with a heart emoji.
With support for Linux, macOS, and Windows, Node-ipc is a popular node module for local and remote inter-process communication (IPC). It receives over 1.1 million downloads per week.
“Any system on which this NPM package is relied upon would experience a very clear abuse and a major supply chain security incident if that geo-location matches either Russia or Belarus,” Synk researcher Liran Tal stated in an analysis.
The vulnerability has been issued the identifier CVE-2022-23812, and it has a CVSS vulnerability score of 9.8 out of ten. The malicious code updates were released on March 7 (version 10.1.1), with a follow-up update 10 hours later on the same day (version 10.1.1).
Even when the damaging alterations were removed from the library with version 10.1, a major update (version 11.0.0) was made less than four hours after, importing another dependent dubbed “peace not war,” which was also supplied by RIAEvangelist as a dependency.
“Any time the node-ipc module’s functionality is called, it publishes a message from the peace not war module to STDOUT, as well as places a file on the user’s Desktop directory with contents relevant to Russia and Ukraine’s current war-time circumstances,” Tal explained.