It seems that the developer of the popular package node-ipc has decided to make some changes to his package and release them into the npm package manager. The changes were found in certain new versions of the package (10.1.1 and 10.1.2) and contain code that can overwrite and/or delete arbitrary files. The code also performs a geo-lookup on the systems IP address to see if it is either in Russia or Belarus. The issue was identified by open source security researchers at snky.
What makes this more interesting is that the developer of node-ipc appears to have started their protest in a much less destructive way. Around March 8th there are indications that the developer published packages to npm and GitHub that did not do much more than add a “message of peace” on the desktop of anyone that installed them. The developer, RIAEvangelist, said it was to be a "non-destructive example of why controlling your node modules is important," and would serve as a “non-violent protest against Russia's aggression”
However, by the time these two files were being talked about the destructive code had already been added to the node-ipc package and was set to deliver its payload. The code itself was obfuscated used base64 encoded strings so make detection more complex. The affected versions of code also were seen to have bundled one of the packages that contained the “message of peace” in this case it was the peacenotwar package and this produces a file called “WITH-LOVE-FROM-AMERICA[.]txt”
As we saw with Log4J vulnerabilities in a popular open source package or function can wreak havoc across the world. In the case of Log4j, it was an unintended consequence of a flaw found in the default configuration of the code. With node-ipc we have an intentional poisoning of the package code itself and by the actual developer. This move by the developer will not only affect many other packages and applications, but it will also cast serious doubt on the community itself. If the developer of a package is willing to insert malicious code into their own code and push that out to the world, how can anyone trust other packages that are being developed? The response on GitHub and elsewhere has been overwhelmingly bad and RIAEvangelist has even been called out for editing and deleting comments on the topic.
Developers that use node-ipc have been advised to pin the version dependency for node-ipc to a known safe version and not just grab the latest stable version as a precaution. Between this incident, Log4J, issues found in OpenSSL and the Colors and Fakers supply chain “protestware” the open source community has taken a fairly big hit in the past year.