-
node-ipc
A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning. (by RIAEvangelist)
-
peacenotwar
Discontinued Attempts to determine if the computer its running on has an IP originating from Russia or Belarus. If it is then depending on the version of the malware either attempts to delete all files on the computer, or creates a text file on the computers desktop protesting the war in ukraine.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
The package uses https://github.com/RIAEvangelist/peacenotwar to deliver the message.
But I don't understand why/how it would wipe the PC. Unless I missed something, the code from the package does not delete anything.
> This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now.
Nah, the author knew it's would be controversial. The first sentence is there as an excuse.
This node npm supply chain attack incident is a wake up call that the current security model of mainstream operating systems such as Linux, MacOSX or Windows are no longer suitable for modern day threats and they need a "zero-trust" like model for applications. Mitigating supply chain attacks like this one requires adopting application sandboxing by default, assuming that any application can be compromised, and capability-based security model like Fuchsia, Genode OS or mobile operating systems like Android or Apple's IOS. In the case of Linux, the most suitable sandboxes are docker container and Firejail tool that can restrict operating system resources which an application can access, including the $HOME directory. Firejail can even provide a fake $HOME directory. In the case of Microsoft windows, there is the Windows Sandbox, but it is only available on Windows pro or enterprise. But even so those countermeasures would only prevent the user data from being damaged, malicious NPM packages could still attempt to send credentials, tokens or database information back to the attacker. More details at: https://hkubota.wordpress.com/2020/12/31/comparing-sandboxin... and https://docs.microsoft.com/en-us/windows/security/threat-pro....
Another suitable mitigation strategy may be lock dependencies version or switch to other programming languages with a proper standard library and limited number of packages where one can at least audit the code.
What the hell are NPM and GitHub doing, are they letting this malware exist since it's for the "right" cause? I understand where this guy's heart is at but this is wrong on so many levels. I reported this to both of them this morning, and they are still up, I can't be the only one. If they don't take it down then that is a serious trust issue there, and represents a new reality where people will willingly host malware if it's for the correct political cause.
I forked the repo to make the README.md more accurate and satirical, but sadly I can't make a PR since he's locked down the repository to only contributors.
https://github.com/4oo4/cyberwarfareispeace
But seriously GitHub and NPM, get your shit together.