Dev Sabotages Popular NPM Package to Protest Russian Invasion

In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.

The developer behind the hugely popular npm package “node-ipc” has released sabotaged versions of the library to condemn Russia’s invasion of Ukraine: a supply-chain tinkering that he’d prefer to call “protestware” as opposed to “malware.”

Regardless of the peace-not-war messaging, node-ipc is now being tracked as a malicious package: one with malicious code that targets users with IP addresses located in Russia or Belarus that overwrites their files with a heart emoji.

It started on March 8, when npm maintainer Brandon Nozaki Miller (aka RIAEvangelist) wrote source code and published an npm package called peacenotwar and oneday-test on both npm and GitHub.

Infosec Insiders Newsletter

The peacenotwar module adds a message of peace to users’ desktops. It only does it once, “just to be polite,” according to Miller’s module description:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.

The peacenotwar message that gets added to desktops is accompanied by a music video of a song used in the March 15 One Day – Benefit for Ukraine. The message:

War is not the answer, no matter how bad it is. Please stand up against this injustice and stand up against evil. Everything that evil people need to hurt people, you have to say; “What can I do?” You are one person. It’s powerful. When one person is standing next to another and they are standing next to another, you soon have movement. Here’s how little people can come together for more than one person. Do what you think is right, follow your own morals.

Up until Tuesday, the module “had virtually no downloads at all,” according to a Wednesday alert and deep technical dive of the incidents posted by developer-security platform Synk. It didn’t stay that way, though, wrote Synk director of developer advocacy Liran Tal.

It changed when RIAEvangelist added the module as a dependency to node-ipc: a popular dependency that many JavaScript developers in the ecosystem rely upon, Tal explained – including the popular Vue.js frontend JavaScript framework, aka npm package @vue/cli.

Synk illustrated the nested dependency tree, shown below, which illustrates “how node-ipc trickles into the Vue.js CLI npm package and further promotes the need to vet nested dependencies as a holistic risk.”

Nested dependency tree showing the relation between node-ipc and the Vue.js CLI npm package. Source: Synk.

As of today, Thursday, the node-ipc library, used by millions weekly, was being downloaded 1,114,524 times per week.

npm Supply-Chain Attack

On Tuesday, March 15, Vue.js users started experiencing what Thal said “can only be described as a supply chain attack impacting the npm ecosystem” – the result of the nested dependencies node-ipc and peacenotwar “being sabotaged as an act of protest by the maintainer of the node-ipc package.”

Regardless of the pro-peace messaging, the security incident “involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,” Tal asserted.

“While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security,” he added.

In the wake of the SolarWinds software supply attack of 2020, President Biden issued an executive order advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter this kind of far-ranging attack.

Besides SolarWinds, the software supply-chain attack problem more recently was underscored by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it recently came time for end-of-year coverage.

Peacenotwar: A Non-Peaceful 9.8 Criticality Rating

As far as the peacenotwar supply chain attack goes, Snyk is tracking the security incidents as CVE-2022-23812 for node-ipc – a vulnerability that, as yet, hasn’t been analyzed by NIST’s National Vulnerability Database (NVD) but which Synk rates with a critical score of 9.8, given that it’s easy to exploit.

Synk is tracking the incidents with the peacenotwar and oneday-test npm modules as SNYK-JS-PEACENOTWAR-2426724, with a low criticality rating of 3.7, given that attack complexity is high.

The advice for how to fix the vulnerabilities: Stay the &^%$ away.

“Avoid using peacenotwar altogether,” Synk advised.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles