Developer node-ipc adds bug that deletes Russian files in protest
The developer of the popular JavaScript library node-ipc has intentionally introduced a critical vulnerability in the library that overwrites files on the computers of users with an IP address in Russia or Belarus, and then displays a call for world peace.
Node-ipc is used in the vue.js framework, among others, and is fetched a million times a week from the NPM registry. GitHub writes that developer Brandon Nozaki Miller deliberately introduced a critical vulnerability to the library, which overwrites “arbitrary files” on the user’s system depending on the geolocation of the user’s IP address.
The vulnerability was added by Miller between March 7 and 8, in versions 10.1.1 and 10.1.2 of the library, writes The Register. When node-ipc is retrieved and run by a user, the library checks the IP address of the host computer. If it has an IP address from Russia or Belarus, then the library will try to overwrite as many files on the computer as possible with a heart symbol. Version 10.1.3 was released shortly after and did not have that vulnerability. Versions 10.1.1 and 10.1.2 were removed from the NPM registry.
Miller then posted version 11 and version 9.2.2 of the library online, which created a text file on the desktop and in users’ OneDrive folders, saying, “War is not the solution, no matter how bad it is.” Miller turned that package into a dependency for node-ipc, which in turn is used as a dependency by many other JavaScript developers, writes security platform Snyk in a blog post. Vue CLI could also be affected by the vulnerability.
Miller, known as RIAEvangelist, explains on GitHub explains that exactly what the library does is documented and he says that anyone is free to link dependencies to earlier versions of the library if they don’t want to be affected by the vulnerability. Nor should it come as a surprise to users of the library, he said: “Everything is public, documented, licensed and open source.”