NPM package targets Russian and Belarusian systems
Cybersecurity

NPM package targets Russian and Belarusian systems in protest over Ukraine invasion

After the invasion of Ukraine by Russia, one developer of node packages changed the code in a package so that it would wipe various random files and replace them with other content. To understand what we are talking about, let’s first discuss what a node package is, what a node package manager (NPM) is, and what they can do.

What is a node package?

A node package (in this case) is a software code package, a programming code used to produce a specific set or subset of effects based on input to the package. Usually referred to as a “library,” it provides standard functionality that avoids rewriting the same code repeatedly. Packages can also call other packages or open/close software outside of the package. 

What is a node package manager (NPM)?

Node package managers started as controllers of JavaScript packages that used a command-line interface (CLI) to allow users to download and install node packages or manage the dependencies of those packages. If you are knowledgeable about programming, you could think of such things as Microsoft’s Powershell as being like an NPM.

The two, packages and managers, create a way for users and programmers to define and implement coding elements that can be used for just about any desired result.

The event

Now that you have a basic understanding of the two, let’s move on to the meat of the post.

A developer using the tag “RIAEvangelist”  who maintains and updates the node package “node-ipc,” popular in the node world, decided to use the package to show their ire over the recent invasion of Ukraine by Russian forces. This particular package can local and remote ‘interprocess communication’ (IPC), which is used when systems want to share data between programs. It can also support various forms of socket communication on Linux, Windows, and Mac systems.

Initially, the developer changed the code to check for the geo-location of a user’s IP address. If the location were within Russia or Belarus, the code would select files and wipe them from the user’s system. After a short time (literally hours), the developer updated the code to remove that functionality.   Instead, it brought up a message from the developer on the user’s desktop that spoke to why node modules/packages needed to be controlled and how this particular one was a non-violent protest mechanism. 

So, at the outset, the developer used a destructive method to protest a political situation but changed their modus operandi to a non-destructive mechanism and a reminder to check how the code you are using works on your system. Cybersecurity right there.

How will this Affect You?

Unless you are a resident in some part of Russia or Belarus, this won’t affect you. But you must understand that this is a change to code that is neither expected nor desirable in most cases. It is an adulteration that can change how your system communicates with other systems or even how your system operates. Check your systems, and verify what version of node-ipc you have, if you use it at all.

  • Versions 10.1.1 and 10.1.2 were the destructive ones and were published on March 7, 2022
  • Version 11.0.0 just posts the activist’s statement.

What should you do?

This type of attack falls into the category of attacks known as a “supply chain attack.”  It is much like the recent SolarWinds breach, where malicious code was introduced through a 3rd party piece of software. It differs in that this attacker’s motivation is “hacktivism,” while in the SolarWinds breach, the attackers’ motivation was most likely espionage.   

If you or the organization you work with uses these types of freely available software and snippets, check them to make sure you haven’t inadvertently installed something harmful to you or others. Validate that they are needed for functionality within your systems, and remove them if they aren’t.

While this may not financially affect you, it is never good practice to allow destructive software on your systems.  

If you want to use this particular package, you might want to check those versions and see if they will affect you adversely. If you have a version that is adulterated, you have three choices:

  1. Remove the dependency for NPM from the affected software on your systems,
  2. Regress to a version that is before the affected versions,
  3. Use what you have to, but update when an unaffected version is delivered.

It might also be good to make sure you use good practices when developing software for your organization’s use. Check dependencies, make sure you are only using what you must, validate that your downloads are safe, and monitor future releases for malware or adulteration.

Northstarr Recommendations 

Northstarr’s expert staff members are constantly on the lookout for malware, malicious software, and other things that are not appropriate for your systems to download or use. Our monitoring covers the entire spectrum of your network and organization.

Call us at (888) 767-2210 to talk about your IT and security needs, or sign up online for a free security assessment.

You can also visit us on our social media pages:

We look forward to helping you protect your organization and data!