In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.
The developer behind the hugely popular npm package “node-ipc” has released sabotaged versions of the library to condemn Russia’s invasion of Ukraine: a supply-chain tinkering that he’d prefer to call “protestware” as opposed to “malware.”
Regardless of the peace-not-war messaging, node-ipc is now being tracked as a malicious package: one with malicious code that targets users with IP addresses located in Russia or Belarus that overwrites their files with a heart emoji.
The peacenotwar module adds a message of peace to users’ desktops. It only does it once, “just to be polite,” according to Miller’s module description:
This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message