1. 11
  1. 15

    In the last few days, a few popular NodeJS libraries (like vue-cli and node-ipc) have been “weaponized” to wipe the users files if the IP-based geo-location indicates the user is from Russia or Belarus.

    The problem is that such geo-location is not always 100% accurate, thus going forward, especially those living in nearby countries (which might be geo-located by mistake as in one of the targeted countries), should perhaps pay extra care to the new dependencies one adds, or updates, to his software… (Also pay attention to recursive dependencies…)

    Moreover, given the current geo-political landscape, given the war and sanctions, it’s not unrealistic to believe that the other side might start doing the same and target users from western countries…

    As one has said in a GitHub issue:

    […] the Pandora’s box is now opened […]

    1. 16

      The problem is that such geo-location is not always 100% accurate, thus going forward, especially those living in nearby countries (which might be geo-located by mistake as in one of the targeted countries), should perhaps pay extra care to the new dependencies one adds, or updates, to his software… (Also pay attention to recursive dependencies…)

      I guess it goes without saying that these issues apply even more to Russians and Belarusians. It just seems strange to completely leave that out.

      1. 6

        In the last few days, a few popular NodeJS libraries (like vue-cli and node-ipc) have been “weaponized” to wipe the users files if the IP-based geo-location indicates the user is from Russia or Belarus.

        The code to do this was never deployed anywhere.

        I don’t want to cast aspersions about you specifically, but the fact that people keep repeating this sensational false claim smacks of Russian propaganda efforts.

        1. 15

          The code to do this was never deployed anywhere.

          The fact that the code was or was not deployed anywhere doesn’t mean it doesn’t exist, or that the intention didn’t exist.

          Just for reference, there is a tag, v10.1.2 (https://github.com/RIAEvangelist/node-ipc/commits/v10.1.2), that does contain the code in question as part of the commit https://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580). Granted this version was not published on NPM, https://www.npmjs.com/package/node-ipc?activeTab=versions, but that doesn’t mean that some automated tool that happens to download the code directly from GitHub, wouldn’t be affected by the issue…

          Also, at least for node-ipc there exists a CVE on this topic, which is reason enough to be aware of the situation: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23812

          It’s not like in the last few months, even before the whole war started, there were no open-source developers that decided to yank their repository (left-pad), change their code so that on startup it enters an infinite loop and output raw characters on the console (colors), and many other such cases which perhaps didn’t got through the news mill…

          As the situation escalates, I bet it will spill into other domains such as open-source…


          I don’t want to cast aspersions about you specifically, but the fact that people keep repeating this sensational false claim smacks of Russian propaganda efforts.

          Please do cast suspicions! It’s healthy to be skeptical!

          What is exactly the “sensational false claim”? That some developers have wrote the code in question, and even tagged it?

          How does it help the Russian propaganda? By raising awareness that perhaps developers should pay closer attention to how deep their dependency trees are? By raising the awareness that our development tools, which with the exception of Go, will gladly download and run any code they find in their repositories as part of a simple build?

          It’s not like the the Nvidia driver make file didn’t include rm -rf /usr /lib/nvidia-current/xorg/xorg at one point (https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123)…

          1. 14

            Granted this version was not published on NPM, https://www.npmjs.com/package/node-ipc?activeTab=versions,

            Apparently, at least according to the snyk.io article, the vulnerable versions were indeed published on NPM for some time, then afterwards they were retracted.

            1. 4

              That’s accurate. 9.2.2, 10.1.1 and 10.1.2 were all pulled from npm.

          2. 12

            Not everything false on the internet is Russian propaganda. It turns out people have been saying untrue things on the web for a little while without Russia’s help. Also, it was actually published on npm so just looking in from the outside here the person posting misinformation seems to be you?

            1. 4

              which sensational false claim do people keep repeating?

                1. 6

                  So the code was not weaponized because it never made it to the main NPM repo? Really doesn’t help to use the term “false claim” for such ambiguous, subjective issues, especially when you’re making some meta point about propaganda by an official enemy.

              1. 3

                The code to do this was never deployed anywhere.

                What’s your evidence of this? npm doesn’t show removed, malicious versions of packages, so you can’t just trust their site.

            2. 14

              I don’t have a problem with hacktivism and calling attention to injustice is generally the right thing to do. But the idea that you can call out war crimes by indiscriminately targeting disk drives of Russian citizens is really missing the point.

              1. 12

                This morning I would had said you are right, however today I have picked up my children from their preschool where an Ukrainian boy at their age pissed under himself because he saw an unknown male (me), after having spent two days in a darkened evacuation train and having left behind everyone except his mum - and probably much more she would not tell. I have never seen a more scared being in my life. It wasn’t an anxiety, it was a kind of fear I wasn’t aware humans were able to experience. Let’s say I have a problem with that. If this ‘malware’ will stop at least one Russian ammunition train or make one Russian more stand up, the collateral damage(money) it causes is worth much more than the collateral damage(dead kids) that may be caused by the said ammunition. I don’t blame anyone having other opinion, but I understand and would myself do what the author of the module has and had to do.

                1. 6

                  We must do something;
                  This is something;
                  Therefore, we must do this.

                  Just because it’s an action that can be taken doesn’t mean it will help. In fact, I rather suspect this hurts the overall effort.

                  1. 3

                    If this ‘malware’ will stop at least one Russian ammunition train or make one Russian more stand up, the collateral damage(money) it causes is worth much more than the collateral damage(dead kids) that may be caused by the said ammunition. I don’t blame anyone having other opinion, but I understand and would myself do what the author of the module has and had to do.

                    I see where you’re coming from. But I don’t see such methods changing the opinions or stance of a previously-indifferent (much less one who is supportive of the regime) Russian. I see frustration and anger, because they almost certainly aren’t thinking of the plight of Ukrainian families fleeing chaos, they’re thinking about their lost files.

                    1. 3

                      I am not endorsing either side here, but your comment seems to presuppose that the sides of their target audience (people in Russia) are supports and opposes. I think in the view of the author of this hazardous code the sides are three: supports, opposes, and mildly in favor of the fictitious events pictured in Russian propaganda. If the theory is that the last group is the largest then they would need only small margin over 50% of that group to be pushed into the opposes group in order to justify the operation to themselves. Again, I’m not endorsing either viewpoint here – I’m just trying to highlight how views can shift depending on (mis)understanding of the subgroups and the size of those groups. Personally I don’t think we have very good estimates for these parameters but tbh I haven’t done a lot of research either.

                2. 5

                  Published versions 10.1.1 and 10.1.2 would wipe all files they could find/touch. 9.2.2 and 11.x would leave you a message on your desktop. Github/npm has removed versions 9.2.2 and the 10.x but left 11.x up. I’m curious what everyone’s take on that is.

                  1. 2

                    There seems to be a subtext in these criticisms that says the goal of open source is something which can be consumed by corporate interests with minimal scrutiny. Anything that requires scrutiny is friction that reduces adoption, and is therefore harmful.

                    As an individual installing a distribution of components that were tested together and receives very minimal updates for critical security issues, this type of behavior has been a nonevent. There’s no code I have that would automatically pick up the latest changes except for git repositories I’m actively working on.

                    The debate we should be having is whether the OSI’s goal is the right one. OSI has long said that Open Source (tm) requires non-discrimination based on field of endeavor, which makes sense from the point of view of allowing consumption with minimal scrutiny, but is not obviously compatible with the interests and motivations of volunteers who have a range of ethical and moral positions. A volunteer contributor is a donor, and outside of software, donors routinely attach conditions to how their contributions are used. OSI’s position is that doing so in Open Source (tm) is not allowed - a message in a commit log is not the same as saying, “my donation should not be used to intentionally end people’s lives.”

                    1. 2

                      Some weekend inspiration here …

                      I’ve pondered what I could do in this matter. This war springs from an alternate Russian reality. Because of the lack of journalism in Russia, somebody needs to tell them who the aggressor is. Hint: Just ask the Ukrainians: It’s not NATO.

                      1. 1

                        This is OSI’s statement with regard the “protestware” that has been discussed in https://lobste.rs/s/pamrw6/.

                        In my view it is quite a vague statement, however at least it touches on the problem at the end:

                        Longer term, it’s likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes—but use it wisely.