Earlier this month, the Vue.js JavaScript framework was subject to a supply chain attack via the npm ecosystem.  The node-ipc package was sabotaged by its creator and was pulled into other people’s projects resulting in anti-war messages being displayed to users and, in some cases, data destruction.

Node-ipc is a popular module used in the Node.js runtime environment for local and remote inter-process communication (IPC).  Node-IPC attracts over a million downloads each week because it is used by many Node.js projects.

The problems started when the maintainer of the node-ipc package decided to use his reach to protest the war in Ukraine – initially by making his ‘peacenotwar’ package a dependency of node-ipc causing it to be pulled into any project using node-ipc and later by changing node-ipc to wipe files on any machine which had an IP address geolocated in Russia or Belarus.

The full story of this abuse of the npm package ecosystem is details in a blog post by source code security firm snyk.

This incident highlights the huge levels of trust we give to public packages in npm and other package managers – trusting the dependency files pulled into our software builds that are created and maintained by unpaid volunteers.

Security Managers and Development Managers would be well advised to review how their networks and systems are protected from malicious or vulnerable updates pulled into their environment through the software supply chain whenever an application is rebuilt and deployed.