Node-ipc is used in the vue.js framework, among other things, and fetched a million times a week From the NPM record† writes github That developer Brandon Nozaki Miller intentionally introduced a dangerous vulnerability to the library, which replaces “random files” in the user’s system depending on the geographical location of the user’s IP address.
The vulnerability was added by Miller between March 7 and 8, in versions 10.1.1 and 10.1.2 of the library, writes the log† When node-ipc is fetched and launched by a user, the library checks the IP address of the host computer. If he has an IP address from Russia or Belarus, then the library will try to overwrite as many files on the computer as possible with the heart symbol. Version 10.1.3 was released shortly after and did not have this vulnerability. Versions 10.1.1 and 10.1.2 have been removed from the NPM registry.
Explains Miller, better known as RIAEvangelist on github It states that exactly what the library does is documented and says that anyone is free to link dependencies to previous versions of the library if they don’t want to be affected by the vulnerability. It should come as no surprise to library users: “Everything is public, documented, licensed, and open source,” he said.
“Total coffee specialist. Hardcore reader. Incurable music scholar. Web guru. Freelance troublemaker. Problem solver. Travel trailblazer.”