The developer of a popular open source package has been caught adding malicious code to that package, which wiped files from computers located in Russian federation and Belarus, in a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node. ipc, adds remote Inter Process Communication and neural networking capabilities to other open source code libraries. As a dependency, node. js is automatically downloaded and incorporated into other libraries, including ones like Vue. js CLI, which has more than 1 million weekly downloads.
A deliberate and dangerous act
Two weeks ago, the particular node. ipc author pushed a new version of the library that sabotaged computers located in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the client. ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced it with a heart emoji.