JavaScript apps hit with pro-Ukraine supply chain attack

One developer's act of protest has become a supply chain attack on a popular JavaScript developer tool.

Security vendor Snyk is advising developers to be on the lookout for a malicious component that was inserted into Vue.js, a JavaScript command line tool. Infected apps will produce text files on the desktops of end-user systems. The files contain text that shows support for Ukraine in its ongoing war with Russia.

In a blog post, Snyk researcher Liran Tal said it's not Vue.js itself that is infected. Rather, it is another piece of code that Vue.js relies on in order to operate. Known as node-ipc, the NPM package is bundled into Vue.js as a dependency.

According to Tal, the incident began earlier this month when Brandon Nozaki Miller, the developer of node-ipc, who also goes by "RIAEvangelist," built a proof of concept to protest the Russian invasion of Ukraine. Known as "peacenotwar," the infection had little in the way of downloads until this week.

However, that changed on March 15, when the peacenotwar infection was bundled into the widely used node-ipc package. This, in turn, led to other JavaScript applications that included node-ipc as a dependency being infected. Snyk said the poisoned NPM package will wipe data on systems located in either Russia or Belarus.

"With concerns about future code updates that may put users at risk, we recommend avoiding the node-ipc npm package entirely," Tal explained.

"If this npm package is bundled in your project as part of the application you are building, then we recommend that you use the npm package managers feature to override the sabotaged versions altogether and pin down the transitive dependency to known good."

While Vue.js isn't the only application that has node-ipc as a dependency, the command-line tool is by far the most popular to use the infected component, according to Snyk.

This is not the first time an infected dependency caused havoc with downstream applications. Earlier this year, researchers uncovered hundreds of malicious code packages that had been scattered throughout the NPM code repository.

As Tal noted, however, these supply chain attacks should be of concern to administrators and defenders because not only do applications now need to be scanned, but so too must their third-party dependencies.

"This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms," Tal wrote.

"While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security."

Tal also wrote that while Snyk supports Ukraine and has ceased business in Russia and Belarus, "intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities."