The Node-IPC incident

leo32345

Some of you may be familiar with the recent incident with Node-IPC, and others may not know about it yet. Here I will explain it and we can talk about it.

Node-IPC (https://github.com/RIAEvangelist/node-ipc) is a module that works on the software NodeJS. It allows "Inter Process Communication" and is (or was) a very popular piece of code. Node-IPC is open source, meaning anyone can get it for free, and maintained by several people, but is not owned by any company.

Recently, the main owner of Node-IPC, Brandon Nozaki Miller, or
RIAEvangelist, began making an anti war "peacenotwar" code repository which would "add a message of peace on your users' desktops" (https://github.com/RIAEvangelist/peacenotwar). It was also added to his other code repositories, most notably Node-IPC.

This wasn't a problem until some people made a discovery about a newer version of Node-IPC containing the peacenotwar code. If your IP address was from Russia or Belarus, it would overwrite all your files with heart emojis, which would permanently delete its contents (https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c).

If Node-IPC wasn't widely used, this wouldn't be an issue. However, it is used in Chromium (open source browser that Vivaldi is based on), Vue.js, and more. (More affected software can be found at https://github.com/zlw9991/node-ipc-dependencies-list). In addition, it is downloaded over a million times a week. This incident also exposed a weakness in the FOSS (Free and Open Source Software) community - software is openly distributed without being heavily reviewed first.

The response to this incident was strong. The EFF released an article condemning this act (https://www.eff.org/deeplinks/2022/03/anti-war-hacktivism-leading-digital-xenophobia-and-more-hostile-internet), and many were furious. Reportedly, a humanitarian rights group was effected and lost their files, and lost tons of valuable data (https://github.com/RIAEvangelist/node-ipc/issues/308). As for Brandon, he claimed that "There was no actual code to wipe computers.", but few genuinely believe him. As a result of these actions, he could face ten years in prison.

To conclude, the moral of the story is not to engage in an online cyberwar against Russia, at least not in the way Brandon did so. Not only what he did hurt the Russian and Belorussian people, it also hurt himself, unintended targets such as a humanitarian group, and the FOSS community as a whole.

DoctorG

Breaking modules to fail with special client IP ranges is not the way to help and support others, no, such behaviour is a Black Hat Sh**. SCNR

We see, it is a real high risk to trust opensource and other repos thinking those having hosted working software.

KateSoft

This post is deleted!

jamieshah24

This post is deleted!