Popular npm Package Deletes Files on Russian and Belarusian Developers’ Systems

A popular npm package, node-ipc, was recently updated by its developer to protest the ongoing “special operation” in Ukraine. The new versions of the package delete all data and overwrite files on the computers of developers located in Russia and Belarus, and also create text files calling for peace.

Wiper in node-ipc

Node-ipc is downloaded over 1 million times per week and is a critical package relied upon by many other libraries, including the Vue.js CLI. According to Bleeping Computer, the destructive code is present in versions 10.1.1 and 10.1.2 of the package, which are now tracked as malware under the identifier CVE-2022-23812.

The situation began on March 8, when developer Brandon Nozaki Miller, known as RIAEvangelist, published open-source packages peacenotwar and oneday-test on both npm and GitHub. These packages were apparently created as a form of protest, as they add a “call for peace” message to the desktop of anyone who installs them.

However, it was later discovered that some versions of the well-known node-ipc library, also maintained by RIAEvangelist, contain much more destructive payloads aimed at destroying all data and overwriting files on users’ systems. The malicious code, introduced into the packages on March 7, 2022, targets the system’s external IP address and deletes data (by overwriting files) only for users in Russia and Belarus.

A simplified version of this code, already published by researchers, shows that for users in Russia and Belarus, the code overwrites the contents of all files on the system, replacing them with heart emojis, effectively erasing the data.

Since node-ipc versions 9.2.2, 11.0.0, and later include Peacenotwar, affected users also find a message on their desktop titled “WITH-LOVE-FROM-AMERICA.txt,” in which the author calls for peace.

Researchers from Snyk also discovered and analyzed this malicious activity. In their blog post, they write:

“This is a clear case of abuse. A critical supply chain security incident will impact any system where this npm package is invoked, if the system’s geographic location matches Russia or Belarus.”

Snyk analysts suspect that the damaging node-ipc versions 10.1.1 and 10.1.2 were removed from npm within 24 hours of publication. However, node-ipc versions 11.0.0 and above are still available and contain the Peacenotwar component, which leaves “peace messages” on the desktop.

Worse, the resulting panic has already affected users of the popular JavaScript framework Vue.js, which also depends on node-ipc. After the incident, users asked the Vue.js developers to use only safe versions of node-ipc that do not attempt to destroy their data.

BleepingComputer notes that Vue.js is not the only open-source project affected by this sabotage. For example, developers Lukas Mertens and Fedor have already warned other developers not to use the malicious version of node-ipc.

Currently, version 9.2.1 of node-ipc is considered safe. However, developers are advised to be cautious when using node-ipc and other libraries by RIAEvangelist, as there are no guarantees that future versions will be safe.

Community Reaction

This is already the second protest by an open-source developer that the community has faced recently. The first was Marak Squires, author of the faker and colors libraries, which have over 20 million downloads per week on npm alone.

In December last year, many developers found that both libraries were malfunctioning, affecting the performance of their own products. Both libraries produced gibberish instead of code, preceded by the words “LIBERTY LIBERTY LIBERTY.” In particular, this caused issues for anyone using the Amazon Cloud Development Kit.

It turned out that the package author had intentionally sabotaged his code, and the readme file accompanying the malicious update included the message: “What really happened with Aaron Swartz?” He also posted this message on Twitter, linking to a Reddit thread condemning Swartz’s death after discovering child pornography on MIT servers.

Squires did this as an act of revenge against corporations and commercial users of open-source solutions. He argued that they often rely on free software maintained by the community but give nothing back in return. As early as November 2020, the developer wrote that he would no longer support corporations or do “free work” for them. He advised commercial organizations to consider creating forks or paying him a six-figure salary.

Many criticized Squires at the time, and now RIAEvangelist, who maintains over 40 npm packages, is facing even harsher criticism for his sabotage. Almost everyone agrees that this goes far beyond a “peaceful protest,” and deploying destructive payloads in a popular library is highly unethical. Many believe this undermines the very principles and foundations of the open-source community.

“You just successfully destroyed the entire open-source developer community. Are you happy now, @RIAEvangelist?” one user asked the activist.

“Even if RIAEvangelist’s deliberate and dangerous actions are seen by some as a legitimate act of protest, how will this affect the maintainer’s future reputation and contributions to the developer community?” others ask.

Additionally, users have discovered that RIAEvangelist is now trying to cover his tracks by actively editing and deleting previous comments (1, 2, 3).