James Steidl - Fotolia
In a blog post, Snyk researcher Liran Tal said it's not Vue.js itself that is infected. Rather, it is another piece of code that Vue.js relies on in order to operate. Known as node-ipc, the NPM package is bundled into Vue.js as a dependency.
According to Tal, the incident began earlier this month when Brandon Nozaki Miller, the developer of node-ipc, who also goes by "RIAEvangelist," built a proof of concept to protest the Russian invasion of Ukraine. Known as "peacenotwar," the infection had little in the way of downloads until this week.
"With concerns about future code updates that may put users at risk, we recommend avoiding the node-ipc npm package entirely," Tal explained.
"If this npm package is bundled in your project as part of the application you are building, then we recommend that you use the npm package managers feature to override the sabotaged versions altogether and pin down the transitive dependency to known good."
While Vue.js isn't the only application that has node-ipc as a dependency, the command-line tool is by far the most popular to use the infected component, according to Snyk.
This is not the first time an infected dependency caused havoc with downstream applications. Earlier this year, researchers uncovered hundreds of malicious code packages that had been scattered throughout the NPM code repository.
As Tal noted, however, these supply chain attacks should be of concern to administrators and defenders because not only do applications now need to be scanned, but so too must their third-party dependencies.
"This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms," Tal wrote.
"While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security."
Tal also wrote that while Snyk supports Ukraine and has ceased business in Russia and Belarus, "intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities."