Package used by big apps now drops anti-war text files on desktops
The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers’ files. Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM repository, and is described as an «inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP.» It appears Miller intentionally changed his code to overwrite the host system’s data, then changed the code to display a message calling for world peace, as a protest against Russia’s invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812. Between March 7 and March 8, versions 10.1.1 and 10.1.2 of the library were released. When imported as a dependency and run by a project, these checked if the host machine had an IP address in Russia or Belarus, and if so, overwrote every file it could with a heart symbol. Version 10.1.3 was released soon after without this destructive functionality; 10.1.1 and 10.1.2 were removed from the NPM registry. Version 11 was then published, and the following week version 9.2.2. Both brought in a new package by Miller called peacenotwar, which creates files called WITH-LOVE-FROM-AMERICA.
