GHSA-97m3-w2cp-4xx6
cyberwarfareispeace
GHSA-97m3-w2cp-4xx6 | cyberwarfareispeace | |
---|---|---|
13 | 1 | |
- | 0 | |
- | - | |
- | 10.0 | |
- | over 2 years ago | |
JavaScript | ||
- | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-97m3-w2cp-4xx6
-
Selecting the Right Dependencies: A Comprehensive Practical Guide
How safe is it to use? It may sound like fiction, but yes, dependencies can be dangerous. For example, an interesting feature was added to a library with 500k downloads: it tries to replace all files on the computer with ❤️ if your IP address falls within a specific range.
- Embedded Malicious Code in node-ipc
- Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers
-
With the recent scandal over the 'node-ipc' package, is Composer also vulnerable like this? Is there any security measure in the Composer to prevent this type of attack?
Source: CVE-2022-23812
- CVE-2022-23812 - mbedded Malicious Code in node-ipc - The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files on Russian systems
- My entire PC got wiped Do not download
- NPM supply chain attack - Wipes your disk if you have a Russian/Byelorussian IP
-
Ukraine Invasion Megathread #3
I have not audited the malicious code myself, so you might be right, I'm going by the CVE reports that say it does this to arbitrary files.
cyberwarfareispeace
-
My entire PC got wiped Do not download
What the hell are NPM and GitHub doing, are they letting this malware exist since it's for the "right" cause? I understand where this guy's heart is at but this is wrong on so many levels. I reported this to both of them this morning, and they are still up, I can't be the only one. If they don't take it down then that is a serious trust issue there, and represents a new reality where people will willingly host malware if it's for the correct political cause.
I forked the repo to make the README.md more accurate and satirical, but sadly I can't make a PR since he's locked down the repository to only contributors.
https://github.com/4oo4/cyberwarfareispeace
But seriously GitHub and NPM, get your shit together.
What are some alternatives?
es5-ext - ECMAScript extensions (with respect to upcoming ECMAScript features)
peacenotwar - Attempts to determine if the computer its running on has an IP originating from Russia or Belarus. If it is then depending on the version of the malware either attempts to delete all files on the computer, or creates a text file on the computers desktop protesting the war in ukraine.
node-ipc - A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning.
Symfony - The Symfony PHP framework