What would happen if a software maintainer added malicious code to a popular library? To answer this question, we can look to the latest software supply-chain attack. A malicious code was hidden in node-ipc to replace files with a heart emoji and a peacenotwar module.
A developer has taken a tool that he created and sabotaged it to condemn Russia’s invasion of Ukraine. Though he would prefer to call this “protestware”, the author understands that it is called malware by many.
No matter how you feel about it, node-ipc is now in the malicious category. It has malicious code that targets users with IP addresses located in Russia or Belarus and overwrites their files with a heart emoji.
On March 8th, the GitHub account of Brandon Nozaki Miller, npm maintainer and more widely known as RIAEvangelist, released two new packages with source code and published them in both the npm registry and GitHub.
The peacenotwar module is a desktop reminder of the importance of peace. The peacenotwar message only pops up once “just to be polite,” and it is accompanied by a video of a song used in the March 15 One Day – Benefit for Ukraine.
Until Tuesday, this module had virtually no downloads at all. All that changed on Wednesday when the Synk developer-security platform issued an alert and did a deep dive into the incident. As for what happened, it can be summed up in one word: suspicious
RIAEvangelist added the module as a dependency to node-ipc, a popular dependency that many JavaScript developers in the ecosystem rely on. It’s also used by many popular frameworks like Vue.js.
Synk, a security company, illustrated the dependency tree in which nested dependencies like node-ipc trickles into the Vue.js CLI npm package and promotes the need for thorough vetting at all levels of work.
One of the most popular libraries in the React ecosystem today is the node-ipc library. It’s currently the second most downloaded package on npm, and was downloaded 1,114,524 times last week.
Supply-Chain Attack
When Vue.js users began to notice a supply chain attack, which many described as “unforeseen and malicious,” company officials were quick to take action. Developers are currently working together on the best way to respond to this unfortunate digital incident.
Despite pro-peace messaging, the security incident involves the destruction of files on disk by one maintainer. The attacker tries to cover up that sabotage in different forms, but they were ultimately detected.
It’s easy to ignore the fact that everything is connected. While this attack was inspired by the protest, it points to a much larger issue in the software supply chain: transitive dependencies. Many of these dependencies are hidden in your code and have an impact on your security.
The SolarWinds attack in 2020 has brought the need for SBOMs to light. President Biden issued an executive order to promote the use of SBOMs, which would increase transparency in supply chains and help prevent future attacks as a result.
This is a major problem for software supply chains: the hunt for a vulnerable, exploited logging library. SolarWinds highlighted this when they found that their own software had been compromised by hackers. It is frustrating for companies that cannot find a solution to this problem.
Peacenotwar: Not As Peaceful As It Makes Itself Out To Be
In the case of a recent supply chain attack, Snyk is tracking CVE-2022-23812 as a vulnerability that has not yet been analyzed by the NIST’s National Vulnerability Database (NVD). Synk rates the severity of the vulnerability at 9.8 on the scale of one to ten. The vulnerability is easy to exploit, and therefore it is very important for businesses to keep their security updated.
Synk is keeping track of any incidents with the peacenotwar module and the oneday-test module, which have a high criticality rating of 3.7. This is due to the high attack complexity that accompanies these two modules.