A developer modified an open source software to erase files in Russia


The developer of a popular open-source package was caught adding malicious code to it, leading to deletion of files on computers located in Russia and Belarus. The move was part of a protest that angered many users and raised concerns about the security of free and open source software.

The application, node.ipc, adds remote interprocess communication and neural network capabilities to other open source code libraries. As a dependency, node.ipc is automatically downloaded and integrated with other libraries, including ones like Vue.js CLI, which has over a million weekly downloads.

A deliberate and dangerous act

Two weeks ago, the author of node.ipc released a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new version added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address was geolocated in Russia or Belarus, the new version erased the files from the machine and replaced them with a heart-shaped emoji.

To conceal the maliciousness, node.ipc author Brandon Nozaki Miller encoded the changes in base 64 to make things more difficult for users who wanted to visually inspect them for problems.

Here’s what those developers saw:

+ const n2 = Buffer. from(“Li8=”, “base64”);
+ const o2 = Buffer. from(“Li4v”, “base64”);
+ const r = Buffer. from(“Li4vLi4v”, “base64”);
+ const f = Buffer. from(“Lw==”, “base64”);
+ const c = Buffer. from(“Y291bnRyeV9uYW1l”, “base64”);
+ const e = Buffer. from(“cnVzc2lh”, “base64”);
+ const i = Buffer. from(“YmVsYXJ1cw==”, “base64”);

These lines were then passed to the timer function, such as:

+ h(n2.toString(“utf8”));

The Base64 string values ​​were:

  • n2 is set to: ./
  • o2 is set to: ../
  • r is set to: ../../
  • f is set to: /

When passed to the timer function, the lines were then used as input to erase the files and replace them with the heart emoji.

+ try {
+ import_fs3.default.writeFile(i, c.toString(“utf8”), function() {
+ });

“At this point, a very clear abuse and critical supply chain security incident will occur for any system this npm package is invoked on, whether it matches a geolocation of Russia or Belarus,” said writes Liran Tal, a researcher at Snyk, a security company that has tracked the changes and published its findings Wednesday.

Tal discovered that the author of node.ipc maintains 40 other libraries, some or all of which are also dependencies for other open source packages. Referring to the pseudonym of the author of node.ipc, Tal questioned the wisdom of the protest and its likely fallout on the open source ecosystem as a whole.

“Even if the RIAEvangelist maintainer’s deliberate and dangerous act will be seen by some as a legitimate act of protest, how will this affect the maintainer’s future reputation and participation in the developer community?” wrote Tal. again for not following through with future acts in such actions or even more aggressive actions for any projects they are involved in? »

gone forever

RIAevangelist has also been criticized on Twitter and in open source forums. The new version of malicious code, wrote a person claiming to work for a US-based organization that operated a server in Belarus, “resulted in the execution of your code and the deletion of over 30,000 messages and files detailing war crimes committed in Ukraine by the Russian military and government officials”.

The person, who then deleted the post and reposted it here, said that the purpose of the Belarusian server was to circumvent censorship in this country. The organization’s personnel had already been exhausted since Russia began its invasion of Ukraine on Feb. 24, the person said, and for reasons that are unclear, messages from frontline soldiers and other sensitive data is probably gone forever.


Comments are closed.