September 30, 2023

A supply chain attack in a popular JavaScript developer module has been taken place due to Russian invasion on Ukraine.

This has been started on March 8 with developer Brandon Nozaki Miller, who wrote source code and published an “npm” software module called “peacenotwar.” The notes with the module claim that it serves as a nondestructive example of why controlling node modules is important and as a protest against Russia.

Advertisements

The module was then added as a dependency to the node-ipc module earlier this week, a popular dependency that many JavaScript developers in the npm ecosystem rely on. There is where good intentions lead to unintended consequences. One of many JavaScript ecosystem projects that rely on node-ipc is the Vue.js command-line tool.

The peacenotwar code ended up in Vue.js CLI and herein starts the problem, since the code also has the ability to launch a destructive payload and overwrite all files of users installing the package. The original intent was for the code to overwrite files for users based in Russia and Belarus, but the code opens the door to a broader supply chain attack.

The risk this so-called “protestware” has introduced is serious, with a vulnerability a 9.8 score out of the 10-point common vulnerability scoring system, meaning it’s considered critical.

Advertisements

The malicious code has been found in node-ipc versions 10.1.1 and 10.1.2, its recommended to upgrade to version 10.1.3 or higher.

Leave a Reply

%d bloggers like this: