Sabotage: Code added to popular NPM package wiped files in Russia and Belarus
The developer of a popular open source package has been caught adding malicious code to it, leading to wiped files on computers located in Russia and Belarus. The move was part of a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node.ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node.ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act
Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.