Corrupt open source software enters the Russian battlefield


It started as an innocent protest. NpmBrandon Nozaki Miller, maintainer of the RIAevangelist JavaScript package manager, wrote and released an open-code npm source package called peacenotwar. He did little more than add a message of protest against Russia’s invasion of Ukraine. But then it took a darker turn: it started destroying computer file systems.

To be exact, Miller added some code that remove the file system from any computer with a Russian or Belarusian IP address. Then its maintainer added the module as a dependency to the hugely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to system-destroying.

The code has undergone several modifications since its first appearance, but it should be considered very dangerous. Highlighting its potential for damage, Miller encoded his code changes in base 64 to make it harder to spot the problem by simply reading the code.

According to Developer Security Company Snykwho discovered the problem, “node-ipc (versions >=10.1.1 This package contains malicious code that targets users with IP addresses located in Russia or Belarus, and overwrites their files with a heart-shaped emoji.” It is now tracked as CVE-2022-23812. Synk gives this corrupted open-was-source package a critical Common Vulnerability Scoring System (CVSS) rating of 9.8, critical.

In other words, you just shouldn’t use it at all. Period.

It’s easier said than done. Node-ipc is present in many programs. This nodejs module is used for local and remote interprocess communication (IPC) on Linux, Mac and Windows systems. It is also used in the very popular view-cli, a JavaScript framework for creating web-based user interfaces. From there, this malware destroyed a large number of systems.

Liran Tal, the Snyk researcher who uncovered the issue, said: “While the RIAEvangelist maintainer’s deliberate and dangerous act will be seen by some as a legitimate act of protest, how will it affect the reputation future of the maintainer and its stake in the community of developers?? Would this maintainer be trusted again not to follow through on future acts in such actions or even more aggressive actions for any projects they are involved in?”

Miller himself defended his peacenotwar module on GitHub saying “It’s all public, documented, licensed, and open source.

But, what if someone did that and didn’t leave such a message? And, if it was important to let users make an informed decision, why was the dangerous code obfuscated?

Anyway, as we all know, people suck at reading documentation. Besides, as Sophos Senior Threat Researcher. Sean Gallagher, tweeted, anyone who just willy-nilly added code to their production systems is asking for trouble. “If you fix live dependencies for which you have no quality assurance control, you’re not doing SecOps at all.

But that said, this “protestware” sets a dangerous precedent. As one programmer wrote on GitHub, “What’s going to happen is that Western corporate security teams that have absolutely nothing to do with Russia or politics are going to start seeing free and open source software as a vector for supply chain attacks (which it totally is) and just start banning free and open source software – all free and open source software – within their companies. Or at least anything maintained by the community. This will have no positive effect for Ukrainians, idiot, and will only harm FOSS [Free and open-source software] adoption. ” Exactly.

In the meantime, as part of the usual open source fix, fellow developer Tyler S. Resch, MidSpike, has launched a effort to create a safe node-ipc fork on GitHub.

Related stories:


Comments are closed.