The code has undergone several modifications since its first appearance, but it should be considered very dangerous. Highlighting its potential for damage, Miller encoded his code changes in base 64 to make it harder to spot the problem by simply reading the code.
According to Developer Security Company Snykwho discovered the problem, “node-ipc (versions >=10.1.1 This package contains malicious code that targets users with IP addresses located in Russia or Belarus, and overwrites their files with a heart-shaped emoji.” It is now tracked as CVE-2022-23812. Synk gives this corrupted open-was-source package a critical Common Vulnerability Scoring System (CVSS) rating of 9.8, critical.
In other words, you just shouldn’t use it at all. Period.
Liran Tal, the Snyk researcher who uncovered the issue, said: “While the RIAEvangelist maintainer’s deliberate and dangerous act will be seen by some as a legitimate act of protest, how will it affect the reputation future of the maintainer and its stake in the community of developers?? Would this maintainer be trusted again not to follow through on future acts in such actions or even more aggressive actions for any projects they are involved in?”
Miller himself defended his peacenotwar module on GitHub saying “It’s all public, documented, licensed, and open source.”
But, what if someone did that and didn’t leave such a message? And, if it was important to let users make an informed decision, why was the dangerous code obfuscated?
Anyway, as we all know, people suck at reading documentation. Besides, as Sophos Senior Threat Researcher. Sean Gallagher, tweeted, anyone who just willy-nilly added code to their production systems is asking for trouble. “If you fix live dependencies for which you have no quality assurance control, you’re not doing SecOps at all.“
But that said, this “protestware” sets a dangerous precedent. As one programmer wrote on GitHub, “What’s going to happen is that Western corporate security teams that have absolutely nothing to do with Russia or politics are going to start seeing free and open source software as a vector for supply chain attacks (which it totally is) and just start banning free and open source software – all free and open source software – within their companies. Or at least anything maintained by the community. This will have no positive effect for Ukrainians, idiot, and will only harm FOSS [Free and open-source software] adoption. ” Exactly.
In the meantime, as part of the usual open source fix, fellow developer Tyler S. Resch, MidSpike, has launched a effort to create a safe node-ipc fork on GitHub.