JavaScript library updated to wipe files from Russian computers

Package used by big apps now drops anti-war text files on desktops


The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files.

Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM registry, and is described as an "inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP."

It appears Miller intentionally changed his code to overwrite the host system's data, then changed the code to display a message calling for world peace, as a protest against Russia's invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812.

"The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address," the Microsoft-owned biz said.

Between March 7 and March 8, versions 10.1.1 and 10.1.2 of the library were released. When imported as a dependency and run by a project, these checked if the host machine had an IP address in Russia or Belarus, and if so, overwrote every file it could with a heart symbol. Version 10.1.3 was released soon after without this destructive functionality; 10.1.1 and 10.1.2 were removed from the NPM registry.

Version 11 was then published, and the following week version 9.2.2. Both brought in a new package by Miller called peacenotwar, which creates files called WITH-LOVE-FROM-AMERICA.txt in users' desktop and OneDrive folders. This text file is supposed to contain a message from the developer stating among other things, "war is not the answer, no matter how bad it is," though some folks reported the file was empty.

Whenever node-ipc versions 11 or 9.2.2 are used as a dependency by another project, they bring in peacenotwar and run it, leaving files on people's computers. Version 9.2.2 has disappeared from the NPM registry along with the destructive 10.1.x versions. Vue.js, for one, brought in node-ipc 9.2.2 while it was available, as 9.x is considered a stable branch, meaning there was a period in which some Vue developers may have had .txt files show up unexpectedly.

In other words, not too many people fetched the destructive version, as big apps and frameworks will have used the stable branch, which for a short while dropped .txt files. Anyone using bleeding-edge versions may have had their files vanished, or found manifestos saved to their computers.

A timeline of events has been documented by infosec outfit Snyk. We note that the landing page for the node-ipc module on NPM states "as of v11 this module uses the peacenotwar module."

Miller has defended his peacenotwar module on GitHub, saying "this is all public, documented, licensed and open source." Earlier, there were more than 20 issues flagged against node-ipc about its bad behavior, and just now plenty more over on peacenotwar.

Some of the comments referred to Miller's creation as "protestware." Others might call it malware. The programmer was not available for comment.

Someone even claimed an American NGO had their production files on one system trashed by node-ipc as they were running the library on a monitoring server in Belarus with an IP address that triggered the data-wiping code.

The continuing rise of the Node.js JavaScript framework has given the world a whole new type of software vulnerability.

Node's package manager is NPM, which is overseen and owned these days by GitHub along with NPM's registry of modules. This tool makes it easy for Node apps to automatically pull in other libraries of code directly from online repositories. This results in vast numbers of downloads for many modules, meaning that small code changes can propagate very rapidly across large numbers of computers.

The file-dropping version of node-ipc got sucked into version 3.1 of Unity Hub, a tool for the extremely popular Unity games engine – although it was removed the same day.

"This hot-fix eliminates an issue where a third-party library was able to create an empty text file on the desktop of people using this release version," the Unity team wrote. "While it was a nuisance, the issue did not include malicious functionality. Any user that had this file appear on their desktop after updating the Unity Hub can delete this file."

This is far from the first time something like this has happened. In 2016, a developer removed his tiny leftpad library from NPM, breaking thousands of other apps. Earlier this year, another developer added a breaking change to his library as a protest.

Infosec firm WhiteSource said earlier this year it detected in 2021 1,300 malicious npm packages. It reported them to npm, which quietly removed them. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022