node-ipc developers pushed malware update in protest to Russian invasion of Ukraine
The latest major update to the node-ipc Node Package Manager has configured itself as to wipe files on computers in Belarus and Russia in protest to the invasion of Ukraine.
The update has impacted several software projects that utilize node-ipc as a dependency, including Unity and Vue.js. Any projects that use node-ipc and have development in Belarus or Russia could ensure major supply chain disruptions and other dangerous repercussions.
In response to this newly implemented malicious code, GitHub posted advisory CVE-2022-23812.
In response to a request for the module to be removed from node-ipc, developer Brandon Nozaki Miller responded with the following comment:
"It is documented what it does and only writes a file if it does not exist. You are free to lock your dependency to a version that does not include this until something happens with the war, like it turns into WWIII and more of us wish that we had done something about it, or ends and this gets removed.
This is why it is done as a new major rev. This also should serve as a safe example of why we teams should use explicit dependency versions. So it is always our choice to upgrade or not."
The malware was present in versions 10.1.1 and 10.1.2 of node-ipc, with version 10.1.3 and later no longer including it.
- Free • Open Source