One developer’s act of protest has become a supply chain attack on a popular JavaScript developer tool.
Security vendor Snyk is advising developers to be on the look for a malicious component that was inserted into Vue.js, a JavaScript command line tool. Infected apps will produce text files on the desktops of end-user systems. The files contain text that shows support for Ukraine in its ongoing war with Russia.
In a blog post, Snyk researcher Liran Tal said it’s not Vue.js itself that is infected. Rather, it is in another piece of code that Vue.js relies on in order to operate. Known as node-ipc, the NPM package is bundled into Vue.js as a dependency.
According to Tal, the incident began earlier this month when Brandon Nozaki Miller, the developer of node-ipc who also goes by “RIAEvangelist,” built a proof of concept to protest the Russian invasion of Ukraine. Known as “peacenotwar” the infection had little in the way of downloads up until this week.
However, that changed on March 15, when the peacenotwar infection was bundled into the widely-used node-ipc package. This, in turn, lead to other JavaScript applications that included node-ipc as a dependency being infected.
“With concerns about future code updates that may put users at risk, we recommend avoiding the node-ipc npm package entirely,” explained Tal. “If this npm package is bundled in your project as part of the application you are building, then we recommend that you use the npm package managers feature to override the sabotaged versions altogether and pin down the transitive dependency to known good.”
While Vue.js isn’t the only application that has node-ipc as a dependency, the command-line tool is by far the most popular to use the infected component, according to Snyk.
This is not the first time an infected dependency caused havoc with downstream applications. Earlier this year, researchers uncovered hundreds of malicious code packages that had been scattered throughout the NPM code repository.
As Tal noted, however, these supply chain attacks should be of concern to administrators and defenders because not only do applications now need to be scanned, but so too must their third-party dependencies.
“This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,” wrote Tal.
“While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.”
Tal also wrote that while Snyk supports Ukraine and has ceased business in Russia and Belarus, “intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”
