It started as an innocent protest. Npm[1], JavaScript's package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar[2]. It did little except add a protest message against Russia's invasion of Ukraine. But then, it took a darker turn: It began destroying computers' file systems.
To be exact, Miller added code that would delete the file system of any computer with a Russian or Belorussian IP address.[3] Then, its maintainer added the module as a dependency to the extremely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to a system destroyer.
The code has undergone several changes since it first appeared, but it must be regarded as highly dangerous. Underlining its potential for damage, Miller encoded his code changes in base-64 to make it harder to spot the problem by simply reading the code.
According to developer security company Snyk[4], which uncovered the problem, "node-ipc (versions >=10.1.1 <10.1.3) is a malicious package.[5] This package contains malicious code that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji." It's now being tracked as CVE-2022-23812[6]. Synk gives this corrupted open-was able to source package a critical Common Vulnerability Scoring System (CVSS) rating of 9.8, critical.
In other words, you simply shouldn't use it at all. Period.
That's easier said than done. Node-ipc is present in many programs. This nodejs module is used for local and remote InterProcess Communication (IPC) on Linux, Mac, and Windows systems. It's also used in the very popular vue-cli[7], a Javascript framework for building web-based user interfaces. From there, this malware