{
	"id": "ef3f594d-f829-47a1-8988-dd450108f256",
	"created_at": "2026-04-06T00:06:55.850945Z",
	"updated_at": "2026-04-10T03:24:29.913774Z",
	"deleted_at": null,
	"sha1_hash": "daf31d226eed9ec3edcc6b0d6774ea5067ff78e6",
	"title": "BIG sabotage: Famous npm package deletes files to protest Ukraine war",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2327858,
	"plain_text": "BIG sabotage: Famous npm package deletes files to protest Ukraine war\r\nBy Ax Sharma\r\nPublished: 2022-03-17 · Archived: 2026-04-05 23:00:55 UTC\r\nThis month, the developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of\r\nthe ongoing Russo-Ukrainian War.\r\nNewer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in\r\naddition to creating new text files with \"peace\" messages.\r\nWith over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI.\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nProtestware: Ukraine's ongoing crisis bleeds into open source\r\nSelect versions (10.1.1 and 10.1.2) of the massively popular 'node-ipc' package were caught containing malicious code that\r\nwould overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under\r\nCVE-2022-23812.\r\nOn March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open source software packages\r\ncalled peacenotwar and oneday-test on both npm and GitHub.\r\nThe packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a\r\n\"message of peace\" on the Desktop of any user installing the packages.\r\n\"This code serves as a non-destructive example of why controlling your node modules is important,\"\r\nexplains RIAEvangelist.\r\n\"It also serves as a non-violent protest against Russia's aggression that threatens the world right now.\"\r\nBut, chaos unfolded when select npm versions of the famous 'node-ipc' library—also maintained by RIAEvangelist, were\r\nseen launching a destructive payload to delete all data by overwriting files of users installing the package.\r\nInterestingly, the malicious code, committed as early as March 7th by the dev, would read the system's external IP address\r\nand only delete data by overwriting files for users based in Russia and Belarus.\r\nThe code present within 'node-ipc', specifically in file \"ssl-geospec.js\" contains base64-encoded strings and obfuscation\r\ntactics to mask its true purpose:\r\nMalicious code in 'node-ipc' that runs for Russian and Belarusian users (BleepingComputer)\r\nA simplified copy of the code provided by researchers shows that for users based in Russia or Belarus, the code will rewrite\r\nthe contents of all files present on a system with a heart emoji—effectively deleting all data on a system.\r\nAdditionally, because 'node-ipc' versions 9.2.2, 11.0.0, and those greater than 11.0.0 bundle the peacenotwar module within\r\nthemselves, affected users saw 'WITH-LOVE-FROM-AMERICA.txt' files popping up on their Desktop with \"peace\"\r\nmessages:\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 3 of 6\n\nWITH-LOVE-FROM-AMERICA.txt file with multilingual 'peace' messages \r\nResearchers at open source security firm Snyk also tracked and analyzed the malicious activity:\r\n\"At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm\r\npackage will be called upon, if that matches a geo-location of either Russia or Belarus,\" writes Liran Tal, Director of\r\nDeveloper Advocacy at Snyk in a blog post.\r\nVue.js users panic over supply chain attack\r\nPopular JavaScript front end framework 'Vue.js' also uses 'node-ipc' as a dependency. But prior to this incident, 'Vue.js' did\r\nnot pin the versions of 'node-ipc' dependency to a safe version and was set up to fetch the latest minor and patch versions\r\ninstead, as evident from the caret (^) symbol:\r\nVersions of Vue.js CLI previously pulled latest minor and patch versions of node-ipc\r\nAs such, Vue.js CLI users made an urgent appeal to the project's maintainers to pin the 'node-ipc' dependency to a safe\r\nversion, after some were left startled.\r\nAnd, as observed by BleepingComputer, Vue.js isn't the only open source project to be impacted by this sabotage.\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 4 of 6\n\nDevelopers Lukas Mertens and Fedor are warning other project maintainers to make sure they are not on a malicious 'node-ipc' version:\r\nLukas Mertens warns repo owners using malicious 'node-ipc' versions (GitHub)\r\nSnyk researchers suspect that 'node-ipc' versions 10.1.1 and 10.1.2 that cause blatant damage to the system were taken down\r\nby npm within 24 hours of publication.\r\nNote, however, 'node-ipc' versions 11.0.0 and above remain available on npm. And, these versions still contain the\r\npeacenotwar module that will create the aforementioned 'WITH-LOVE-FROM-AMERICA.txt' files on Desktop.\r\nAs such, if your application is built using the 'node-ipc' library, make sure to pin the dependency to a safe version such as\r\n9.2.1 (turns out 9.2.2 isn't innocent either).\r\nIncident upsets open source community\r\nThis marks the second major incident of protest by an open source developer this year, following January's 'colors' and\r\n'fakers' self-sabotage incident, as first reported by BleepingComputer.\r\nIn the case of 'colors', its developer Marak Squires drew mixed reactions from the open source community because his\r\nmanner of protest involved breaking thousands of applications by introducing infinite loops within them.\r\nHowever, the move by RIAEvangelist, who maintains over 40 packages on npm, has drawn sharp criticism for going beyond\r\njust \"peaceful protest\" and actively deploying destructive payloads in a popular library without any warning to honest users.\r\nA GitHub user called it \"a huge damage\" to the credibility of the whole open source community.\r\n\"This behavior is beyond f**** up. Sure, war is bad, but that doesn't make this behavior (e.g. deleting all files for\r\nRussia/Belarus users and creating strange file in desktop folder) justified. F*** you, go to hell. You've just successfully\r\nruined the open-source community. You happy now @RIAEvangelist?\" asked another.\r\nSome called out the 'node-ipc' developer for trying to \"cover up\" his tracks by persistently editing and deleting previous\r\ncomments on the thread [1, 2, 3].\r\n\"Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of\r\nprotest. How does that reflect on the maintainer’s future reputation and stake in the developer community?\" asks Snyk's Tal.\r\nDevelopers should exercise caution before using 'node-ipc' in their applications as there is no assurance that future versions\r\nof this or any library released by RIAEvangelist will be safe.\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 5 of 6\n\nPinning your dependencies to a trusted version is one of the ways of protecting your applications against such supply chain\r\nattacks.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nhttps://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/"
	],
	"report_names": [
		"big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daf31d226eed9ec3edcc6b0d6774ea5067ff78e6.pdf",
		"text": "https://archive.orkl.eu/daf31d226eed9ec3edcc6b0d6774ea5067ff78e6.txt",
		"img": "https://archive.orkl.eu/daf31d226eed9ec3edcc6b0d6774ea5067ff78e6.jpg"
	}
}