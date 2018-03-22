BIG sabotage: Famous npm package deletes files to protest Ukraine war:
This month, the developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War.
Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages.
With over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI.
Select versions (10.1.1 and 10.1.2) of the massively popular 'node-ipc' package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812.
On March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open source software packages called peacenotwar and oneday-test on both npm and GitHub The packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a "message of peace" on the Desktop of any user installing the packages.
[...] A simplified copy of the code provided by researchers shows that for users based in Russia or Belarus, the code will rewrite the contents of all files present on a system with a heart emoji—effectively deleting all data on a system.
Additionally, because 'node-ipc' versions 9.2.2, 11.0.0, and those greater than 11.0.0 bundle the peacenotwar module within themselves, affected users saw 'WITH-LOVE-FROM-AMERICA.txt' files popping up on their Desktop with "peace" messages:
[...] "At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches a geo-location of either Russia or Belarus," writes Liran Tal, Director of Developer Advocacy at Snyk in a blog post.
[...] A GitHub user called it "a huge damage" to the credibility of the whole open source community.
"This behavior is beyond f**** up. Sure, war is bad, but that doesn't make this behavior (e.g. deleting all files for Russia/Belarus users and creating strange file in desktop folder) justified. F*** you, go to hell. You've just successfully ruined the open-source community. You happy now @RIAEvangelist?" asked another.
Some called out the 'node-ipc' developer for trying to "cover up" his tracks by persistently editing and deleting previous comments on the thread [1, 2, 3].
"Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest. How does that reflect on the maintainer's future reputation and stake in the developer community?" asks Snyk's Tal.
Also at The Register.
(Score: 0) by Anonymous Coward on Sunday March 20, @03:28AM
His accounts were hacked within days of committing this crime. He was doxed and even found in the old Ashley Madison database leak.