Select Page

In what’s an act of deliberate sabotage, the developer behind the popular “node-ipc” NPM package shipped a new tampered version to condemn Russia’s invasion of Ukraine, raising concerns about security in the open-source and the software supply chain.

Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behaviour by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji.

Node-ipc is a prominent node module used for local and remote inter-process communication (IPC) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads.

“A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus,” Synk researcher Liran Tal said in an analysis.

The issue has been assigned the identifier CVE-2022-23812 and is rated 9.8 out of 10 on the CVSS vulnerability scoring system. The malicious code changes were published on March 7 (version 10.1.1), with a second update occurring 10 hours later the same day (version 10.1.1).

images from Hacker News