Users of the popular Vue.js frontend JavaScript framework experienced a supply chain attack on the npm ecosystem recently. The nested dependencies Node-IPC and peacenotwar were sabotaged as a protest by the maintainer of the Node-IPC package.
Regardless of the peace-not-war slogan, node-ipc is now being identified as a malicious package, including malicious code that overwrites files with a love emoji and targets users with IP addresses in Russia or Belarus.
This security event contains destructive acts of corrupting files on the disc by one maintainer and their attempts to hide and restate the willful sabotage in different forms. While this is a protest-motivated attack, it points to a bigger problem in the software supply chain: transitive dependencies in your code can have a significant influence on your security.
The vulnerability (CVE-2022-23812) affects the Node-IPC versions with the help of embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user’s IP address. Successful exploitation of this vulnerability may allow remote attackers to change the file content.
Affected versions
Node-IPC versions 10.1.1 and 10.1.2 are affected by this vulnerability.
Mitigation
Customers are requested to update to Node-IPC version 10.1.3 or later. For more information, please refer to Node-IPC Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 376484 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://github.com/advisories/GHSA-97m3-w2cp-4xx6
https://snyk.io/blog/peacenotwar-malicious-npm-Node-IPC-package-vulnerability/
https://threatpost.com/dev-sabotages-popular-npm-package-protest-russian-invasion/178972/