SECURITY
SECURITY
SECURITY
Protest against Russia turns into a supply chain attack in popular JavaScript module
A protest via a developer against Russia’s invasion of Ukraine has turned into a supply chain attack in a popular JavaScript developer module.
Detailed Wednesday by researchers at Snyk Ltd., the bizarre tale starts on March 8 with developer Brandon Nozaki Miller, who wrote source code and published an “npm” software module called “peacenotwar.” The notes with the module claim that it serves as a nondestructive example of why controlling node modules is important and as a protest against Russia. The description also notes that users will receive a message of peace on their desktops.
On March 15, the module was then added as a dependency to the node-ipc module, a popular dependency that many JavaScript developers in the npm ecosystem rely on. There is where good intentions lead to unintended consequences. One of many JavaScript ecosystem projects that rely on node-ipc is the Vue.js command-line tool.
The peacenotwar code ended up in Vue.js CLI and herein starts the problem, since the code also has the ability to launch a destructive payload and overwrite all files of users installing the package. The original intent was for the code to overwrite files for users based in Russia and Belarus, but the code opens the door to a broader supply chain attack.
The risk this so-called “protestware” has introduced is serious, with Snyk giving the vulnerability a 9.8 score out of the 10-point common vulnerability scoring system, meaning it’s considered critical.
“This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,” the Snyk researchers explained. “While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.”
The malicious code has been found in node-ipc versions 10.1.1 and 10.1.2, with the Snyk researchers encouraging users with the dependency chain to upgrade to version 10.1.3 or higher.
“Snyk stands with Ukraine and we’ve proactively acted to support the Ukrainian people during the on-going crisis,” the researchers concluded. “That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”
Image: NPM
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
