Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion
Mar 17, 2022
In what's an act of deliberate sabotage, the developer behind the popular "node-ipc" NPM package shipped a new tampered version to condemn Russia's invasion of Ukraine, raising concerns about security in the open-source and the software supply chain . Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behavior by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji. Node-ipc is a prominent node module used for local and remote inter-process communication ( IPC ) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads. "A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus," Synk researcher Liran Tal said ...