In whatβs an act of deliberate sabotage, the developer behind the popular βnode-ipcβ NPM package shipped a new tampered version to condemn Russiaβs invasion of Ukraine, raising concerns about security in the open-source and the software supply chain.
Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behavior by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji.
Node-ipc is a prominent node module used for local and remote inter-process communication (IPC) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads.
βA very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus,β Synk researcher Liran Tal said in an analysis.
The issue has been assigned the identifier CVE-2022-23812 and is rated 9.8 out of 10 on the CVSS vulnerability scoring system. The malicious code changes were published on March 7 (version 10.1.1), with a second update occurring 10 hours later the same day (version 10.1.1).
Interestingly, although the destructive modifications were removed from the library with version 10.1., a major update was pushed after less than four hours (version 11.0.0), which imported another dependency called βpeacenotwar,β also released by RIAEvangelist as a form of βnon-violent protest against Russiaβs aggression.β
βAny time the node-ipc module functionality gets called, it prints to STDOUT a message taken out of the peacenotwar module, as well as places a file on the userβs Desktop directory with contents relating to the current war-time situation of Russia and Ukraine,β Tal explained.
As of March 15, 2022, the latest version of node-ipc β 11.1.0 β bumps the βpeacenotwarβ package version from 9.1.3 to 9.1.5 and bundles the βcolorsβ NPM library, while also removing the STDOUT console messages.
Itβs worth noting that βcolors,β along with another package called βfaker,β were both intentionally sabotaged earlier this January by its developer Marak Squires by introducing infinite loops to the source code, effectively breaking other applications that depended on the libraries.
According to Bleeping Computer, which first reported the corruption, the changes are said to have been retaliatory, with the developer noting that βRespectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work.β
If anything, the idea of using popular modules as βprotestwareβ to deploy destructive payloads and stage a supply chain compromise runs the risk of undermining trust in open-source software.
βThis security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,β Tal said. βWhile this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.