Package used by big apps now drops anti-war text files on desktops
The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers’ files. Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM repository, and is described as an « inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP. » It appears Miller intentionally changed his code to overwrite the host system’s data, then changed the code to display a message calling for world peace, as a protest against Russia’s invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812. Between March 7 and March 8, versions 10.1.1 and 10.1.2 of the library were released. When imported as a dependency and run by a project, these checked if the host machine had an IP address in Russia or Belarus, and if so, overwrote every file it could with a heart symbol. Version 10.1.3 was released soon after without this destructive functionality; 10.1.1 and 10.1.2 were removed from the NPM registry. Version 11 was then published, and the following week version 9.2.2. Both brought in a new package by Miller called peacenotwar, which creates files called WITH-LOVE-FROM-AMERICA.
