As a deliberate sabotage, the developer behind the popular "node-ipc" NPM package sent a tampered-up new version to denounce the Russian invasion of Ukraine, raising concerns about open source and security in the software supply chain.
Changes made by its provider, RIAEvangelist, affecting versions 10.1.1 and 10.1.2 of the library, caused undesirable behavior by targeting users to IP addresses located in Russia or Belarus, and deleting random file contents and replacing them with a heart emoji.
Node-ipc is a leading node module for local and remote interprocess communication (IPC) with support for Linux, macOS, and Windows. It has more than 1.1 million weekly downloads.
"For any system where this NPM package will be invoked, if it matches the geographic location of Russia or Belarus, a very clear exploit and a critical supply chain security incident will occur," Synk researcher Liran Tal said in an analysis. Said.
The issue has been assigned the identifier CVE-2022-23812 and is rated 9.8 out of 10 in the CVSS vulnerability scoring system. Malicious code changes were released on March 7 (version 10.1.1), and a second update (version 10.1.1) was released 10 hours later that same day.
Interestingly, even though the destructive changes were removed from the library with version 10.1, a major update was posted less than four hours later (version 11.0.0), which imported another dependency called "peacenotwar", which is a result of RIAEvangelist. published as a genre. "Non-violent protest against Russian aggression."
Source: https://thehackernews.com/2022/03/popular-npm-package-updated-to-wipe.html