Sabotage: Code added to popular NPM package wiped files in Russia and Belarus
Dan Goodin · news.movim.eu / ArsTechnica · Friday, 18 March, 2022 - 18:31
The developer of a popular open source package has been caught adding malicious code to that package, which wiped files from computers located in Russia and Belarus, in a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node.ipc, adds remote Inter Process Communication and neural networking capabilities to other open source code libraries. As a dependency, node.js is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act
Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers located in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced it with a heart emoji.