Developer node-ipc adds bug that deletes Russian files in protest – IT Pro – News

The developer of the popular JavaScript library node-ipc has made a dangerous vulnerability in the library that overwrites files on users’ computers with an IP address in Russia or Belarus, and then displays a call for world peace.

Node-ipc is used in the vue.js framework, among other things, and fetched a million times a week From the NPM record† writes github That developer Brandon Nozaki Miller intentionally introduced a dangerous vulnerability to the library, which replaces “random files” in the user’s system depending on the geographical location of the user’s IP address.

The vulnerability was added by Miller between March 7 and 8, in versions 10.1.1 and 10.1.2 of the library, writes the log† When node-ipc is fetched and launched by a user, the library checks the IP address of the host computer. If he has an IP address from Russia or Belarus, then the library will try to overwrite as many files on the computer as possible with the heart symbol. Version 10.1.3 was released shortly after and did not have this vulnerability. Versions 10.1.1 and 10.1.2 have been removed from the NPM registry.

Miller then published version 11 and version 9.2.2 of the online library, which created a text file on the desktop and in users’ OneDrive folders with the message: “War is not the answer, no matter how bad it is.” Miller has turned this package into a dependency for node-ipc, which in turn is used as a dependency by many other JavaScript developers. Security platform Snyk writes In a blog post† Vue CLI may also be affected by the vulnerability.

Explains Miller, better known as RIAEvangelist on github It states that exactly what the library does is documented and says that anyone is free to link dependencies to previous versions of the library if they don’t want to be affected by the vulnerability. It should come as no surprise to library users: “Everything is public, documented, licensed, and open source,” he said.