The developer of a popular code package sabotages his own product.
Adobe Stock / AOP
Node-ipc is a very popular javascript code package that creates a module for inter-process operation. The Node-ipc package is widely used around the world – used by the Vue.js CLI library, for example – and has over a million weekly downloads.
Bleeping Computer says the developer of Node-ipc Brandon “RIAE Evangelist” Miller wanted to take a stand on the war in Ukraine. He released two new versions of his code package in both the Npm code library and GitHub.
For many users, installing packages only brings a message of peace to the screen.
However, if a user happens to be in Russia or Belarus based on their IP address, in addition to the peace message, the code pack contains a catastrophically powerful bomb: it wipes out all the contents of the computer.
The destruction command is carefully hidden in the Node-ipc code. When it starts working, it takes and overwrites all the files on the target system, replacing their contents with heartbreakers.
A message calling for peace appears in English and Russian on the screen of the destroyed plane:
“War is not the answer, no matter how bad the situation is. War brings tragedy and destruction, robbing generations of precious moments and hope for the future.
A soldier wears his boots for his country, obeying the orders of his government. Find the power to forgive, join together, and resist that true injustice and evil.
Humanity unites us all, and only the finish lines separate us. We may feel we are insignificant individuals, but when enough people work towards the same goal, we make big moves.
Do what feels right, follow your own values. May the Creator bless you and your families. Stay safe. ”
Numerous open source projects like Vue.js picked up a destructive Node-ipc package and set out to distribute it to their unsuspecting users, with predictable consequences.
The extent of the damage is currently unknown. The incident has caused turmoil among open source supporters, and can scare the reputation damage of the RIAE evangelist rapture into open source appreciation.
“War is a bad thing, of course, but it doesn’t justify such use. Smell v *** u, go to hell. You successfully ruined the open source community. Are you happy now? ”One GitHub user said.