A malicious change has been identified in the node-ipc NPM package (CVE-2022-23812) that has a 25% chance of replacing the contents of all files that have write access with a "β€οΈ" character. The malicious code is activated only when launched on systems with IP addresses from Russia or Belarus. The node-ipc package has about a million downloads per week and is used as a dependency for 354 packages, including vue-cli. All projects that have node-ipc as dependencies are also affected.
The malicious code was posted to the NPM repository as part of the node-ipc 10.1.1 and 10.1.2 releases. A malicious change was posted to the project's Git repository on behalf of the project author 11 days ago. The country was determined in the code by calling the api.ipgeolocation.io service. The key accessed by the ipgeolocation.io API from a malicious insert has now been revoked.
In the comments to the warning about the appearance of questionable code, the author of the project stated that the change boils down to adding a file to the desktop that displays a message calling for peace. In fact, the code carried out a recursive enumeration of directories with an attempt to overwrite all the files encountered.
Later, the node-ipc 11.0.0 and 11.1.0 releases were placed in the NPM repository, which instead of the built-in malicious code, added the "peacenotwar" external dependency, controlled by the same author and offered for inclusion by package maintainers who wish to join the protest. It is stated that the peacenotwar package only displays a message about the world, but taking into account the actions already taken by the author, the further contents of the package are unpredictable and the absence of destructive changes is not guaranteed.
In parallel, an update was released to the node-ipc 9.2.2 stable branch, which is used by the Vue.js project. In the new release, in addition to peacenotwar, the colors package was also added to the number of dependencies, the author of which integrated destructive changes into the code in January. The source license in the new release has been changed from MIT to DBAD.
Since the author's next steps are unpredictable, node-ipc users are advised to fix the dependencies on version 9.2.1. Locking versions is also recommended for other developments by the same author who maintained 41 packages. Some of the packages maintained by the same author (js-queue, easy-stack, js-message, event-pubsub) have about a million downloads per week.
Addendum: Other attempts to add actions to various open packages that are not related to the direct functionality of applications and are tied to IP addresses or system locale are also recorded. The most innocuous of these changes (es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash) boil down to ending the war for users in Russia and Belarus. At the same time, more dangerous manifestations are also revealed, for example, an encryptor has been added to the AWS Terraform modules packages and political restrictions have been introduced into the license. The Tasmota firmware for ESP8266 and ESP32 devices has a built-in tab that can block the operation of devices. It is assumed that such activity can seriously undermine trust in open source software.
Source: opennet.ru