npm Library ‘node-ipc’ Sabotaged with npm Library ‘peacenotwar’ in Protest by their Maintainer
The author of these npm libraries intentionally committed corrupt versions containing obfuscated code that would dump a file to your desktop and rewrite files based IP address geographical origin.
Impact
This incident affected a medium but unknown number of users and impacting large downstream projects such as @vue/cli.
It triggered some discussion around maintainer reputation and what action to take around the maintainer’s other popular libraries with a combined 4 million downloads (excluding node-ipc’s 1 million):
js-queueeasy-stackjs-messagenode-cmd
Type of Compromise
This incident fits the malicious maintainer definition.
References
- Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine
- CVE-2022-23812 | RIAEvangelist/node-ipc is malware / protest-ware
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.