back to article JavaScript library updated to wipe files from Russian computers

The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files. Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a …

  1. Anonymous Coward
    Anonymous Coward

    Someone needs a vist from the B-52s

    1. Anonymous Coward
      Anonymous Coward

      If you see a painted sign at the side of the road that says:

      "Fifteen miles to the Love Shack Baby!"

      1. b0llchit Silver badge
        Joke

        Re: If you see a painted sign at the side of the road that says:

        15 miles? That is too far. And what is that thing "love"? That does not sell.

        New sign:

        Free(*) sex in bushes next 15 miles

        Supplies available, all genders welcome

        (*) online

  2. a_yank_lurker Silver badge

    Stupid is as stupid does

    While I am not happy with war in Ukraine, malicious destruction of files, etc. on someone's computer is beyond the pale. From what I have heard there are some anti-war protests in Russia so the war is not universally popular there. You could be destroying someone's computer who actually is on the side of peace.

    1. Ian Johnston Silver badge

      Re: Stupid is as stupid does

      https://www.youtube.com/watch?v=wveW9Tw2JKE

    2. Pascal Monett Silver badge

      Re: Stupid is as stupid does

      Yeah, but when you don't care about collateral damage, or you're too stupid to imagine that your actions just might be detrimental to some people who are not like the ones you lump in one giant category, it doesn't matter.

      So, this Miller is an asshole.

      Oh well, maybe it will help people understand that YOU DO NOT DOWNLOAD LIBRARIES TO YOUR PRODUCTION SERVER.

      1. bombastic bob Silver badge
        Thumb Up

        Re: Stupid is as stupid does

        So, this Miller is an asshole.

        I was thinking 'criminal' but in my mind, you are "not wrong"

        1. sabroni Silver badge

          Re: I was thinking 'criminal'

          Criminal? What crime exactly?

          He didn't install and run that software on your machine, he just wrote and published it. Someone else wrote a pipeline that blindly trusted this package and that is where the crime occurred.

          The author is performing a valuable public service.

          1. MrDamage Silver badge

            Re: I was thinking 'criminal'

            Coke suddenly decides to replace all of the sugar in their drinks with strychnine. But it's not their fault people died, it was the customers who made use of the distribution pipeline who are at fault.

    3. bombastic bob Silver badge
      Megaphone

      Re: Stupid is as stupid does

      the war is not universally popular there

      It is my understanding that the war is universally UN-popular in Russia, among the regular people. Why would they want to become the SOVIET UNION again?

      I have to wonder WHAT LAWS WERE VIOLATED in the (alleged, reported) intentional publishing of MALWARE with the intent of causing damage and copying unwanted files onto people's computers...

      because if THIS is TOLERATED, then WHAT'S NEXT?

      (think of every wacko out there who ever did things in protest that simply IRRITATE everybody and even cause various forms of damage, from throwing paint on people's fur coats, to filing predatory and/or malicious lawsuits to halt a project over some political or environmental pet pieve... (and YES, I'm talking 'new form of cancel culture' and WOKENESS being a major factor here)

      1. Ian Johnston Silver badge

        Re: Stupid is as stupid does

        I have to wonder WHAT LAWS WERE VIOLATED in the (alleged, reported) intentional publishing of MALWARE with the intent of causing damage and copying unwanted files onto people's computers...

        What laws do you think might have been violated? Bearing in mind that anyone using it could have seen what it did.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stupid is as stupid does

          Unless this behavior was documented in the readme, it’ll be “unauthorised access to a computer”

          It’s not caveat admin when it gets to court.

          1. Jaybus

            Re: Stupid is as stupid does

            The code is public. It is very clear that it is purposefully obfuscated. It is the polar opposite of "clearly documentd".

        2. katrinab Silver badge
          Megaphone

          Re: Stupid is as stupid does

          In England, Wales, and Scotland:

          Making, supplying or obtaining articles for use in computer misuse offences - s37 of the Police and Justice Act 2006. There is likely an identically worded law under a slightly different name in Northern Ireland.

          Be real. Before running "npm install vue", how many people browser the dependency tree and read the 50 or so MB of code that it pulls in?

          They will look at the description on the vue website about what it does. Vue had no idea that the code in this dependency had changed.

          1. sabroni Silver badge
            Facepalm

            Re: Vue had no idea that the code in this dependency had changed.

            So what are you saying? Their development model is fatally flawed? How does Vue stop this from happening again? Cross their fingers and hope no-one else does this?

        3. Roland6 Silver badge

          Re: Stupid is as stupid does

          >What laws do you think might have been violated?

          A good question that others seem to have missed, is that the target was Belarus and Russia. Hence is doing 'damage' to computers in these countries a crime under which ever national law the person making the changes was subject to? and does that nation have extradition treaties with Russia and/or Belarus?

          Certainly if the target was say the US then we know immediately that at the minimum the wire fraud laws will have been violated and the US would seek to extradite the relevant people for trial in the US.

      2. Someone Else Silver badge
        Megaphone

        Re: Stupid is as stupid does

        Reel it in, Bob....

  3. Anonymous Coward
    Anonymous Coward

    I imagine anyone finding a surprise file like that on their desktop assumed they were under attack and panicked.

    1. Anonymous Coward
      Anonymous Coward

      I am afraid someone finding a surprise file like that on their desktop might assume they are under attack and launch ICBMs. At whoever they don't like at the moment. In the spirit of the times.

  4. Potemkine! Silver badge

    - Destroying files is bad

    - Adding one .txt file is not, moreover if it's documented.

    If people aren't happy with an open-source project, they are free to develop the component they need by themselves.

    Anyway, integrating directly files into projects from external repositories without checking the content first is a bad practice.

    1. Anonymous Coward
      Anonymous Coward

      It wasn't in the documentation when the library became part of another program, and it's not possible to read the documentation every time a library is updated.

      The argument that the NPM system shouldn't used as it is anyway - I don't think that was the mans intention, so it is besides the point.

      There is current trend, across the political spectrum, that every opinion should be expressed as virulently and strongly as possible in ways that disrupt normal function in any way possible, whatever the collateral damage, and this an logical extension of that, carried in to international conflict.

      I believe that is a wrong and self destructive approach, and restraint combined with strategic focus where it will be effective is the best strategy. Harsh words and name-calling are mostly about making your opponent lose face, but if you aren't prepared to back that up with force it is worse than useless. On the other hand, if your opponent believes they are in checkmate, then allowing them a face saving way to back down is a smart idea - especially if they have nuclear weapons.

    2. rcxb1

      > - Destroying files is bad

      > - Adding one .txt file is not

      As far as I'm concerned, after intentionally publishing malware, Brandon Nozaki Miller (RIAEvangelist) should have had his access to github and NPM permanently revoked with the project's code frozen.

      The second round of malware should never have happened.

      However, I also have to say that dropping a text file somewhere is not harmless. It's unexpected behaviour from code that shouldn't have a need access files in that location. It's one small step from adding desktop icons. e.g. A shortcut to visit amazon.com via sponsored/referred link. If you want to say a file on the desktop with political statements is okay, get ready for the money making schemes to infiltrate and destroy all open source projects...

  5. Jamie Jones Silver badge

    botnet

    NPM is basically a botnet that people subscribe to willingly.

    How anyone could ever think it's a good idea to source libraries live from 3rd parties is beyond me. More efficient local caching of common libraries is about the only thing going for it, but we aren't using dialup modems anymore and the risks far outweigh it.

    The whole thing is insane.

    1. b0llchit Silver badge
      Facepalm

      Re: botnet

      Once we instructed users not to execute programs they downloaded from the internet. That would be a very risky thing to do.

      Now, today, we blindly execute programs.

      "Insanity" is a mild description of the actual catastrophic state of affairs.

    2. Mike 137 Silver badge

      Re: botnet

      "The whole thing is insane"

      Yes indeed, but it serves two purposes for the hosts:

      [1] it protects the developer from having to think about integrating or validating the totality of the code, which speeds up development, saving money

      [2] it reduces the traffic load on the hosting servers, which saves money

      Both of these purposes provide advantage to the providing host, so we're probably stuck with it, regardless of any common sense or hazard to the user.

      As we are (literally) forced to rely on the web more and more to run and maintain our societies, it becomes ever more dangerous to do so. Ultimately, the entire bubble will collapse, by which time we'll have no idea how to pick up the pieces.

      At that point, to loosely quote Monty Python, "Is this the end of the World as we know it" - "Yes" - "Oh"

      1. Jamie Jones Silver badge

        Re: botnet

        My mistake - this particular module is for node.js only, not the browser, so it's serverside js. affecting the server not the client.

        The whole issue is the same though - whether it's servers auto updating/pulling in packages from 3rd party sites, or client run javascript instructing browsers to load 3rd party javascript.

      2. badflorist

        Re: botnet

        [1] is incorrect either way. You do have to think about integration as NPM uses a loose versioning system, especially when the module is compiled client side. ie. it won't run, but it will still integrate. The other way you mention, not validating the totality, that's simply a blind approach (not sure why you list this as a benefit).

        [2] isn't true either but, it's a typical talking through the hat selling point, one that dresses up "load distribution". All these NPM like deployment systems either run 1 time via user, or all the time automatically, does that sound familiar? If code exists on a certain server, then that server will always be hit the same amount of times no matter the ring strategy (heavy math based supercomputers aside). More servers for anything equals less traffic for anything (not just NPM, anything you put on them), but everything will be hit equally per your design (again, supercomputers aside).

        The article mentions this:

        "The continuing rise of the Node.js JavaScript framework has given the world a whole new type of software vulnerability."

        If people think Node.js == NPM, then let me point out that Rust now has the same vulnerability... Cargo (FYI, both NPM and Cargo are controlled by Microsoft). Sadly, most don't know that Node itself doesn't require NPM. However, Node does use the shared packages you can get through NPM (there just vetted differently).

      3. Norman Nescio Silver badge

        Re: botnet

        At that point, to loosely quote Monty Python, "Is this the end of the World as we know it" - "Yes" - "Oh"

        Given that we started with the B-52s*, you could at least have tipped a hat to R.E.M.

        *They were the B-52's.

    3. Someone Else Silver badge

      Re: botnet

      And NPM differs from PyPI how, exactly?

      Well, except for the fact that NPM traffics in JavaScript, that is....

      1. Jamie Jones Silver badge

        Re: botnet

        "And NPM differs from PyPI how, exactly?"

        No idea. So, just as well I wasn't replying about python, in an article about Pypi, isn't it?

        (Substitute similar response for any other whataboutism you care to respond with)

    4. CrackedNoggin

      Re: botnet

      Every Linux distribution depends on third party packages. How is that different? So go with Windows then - but actually Windows is not better than Linux as far as exposure to malware goes and it's not a pleasant environment in which to develop (imo).

      While I agree that the current promiscuity is excessive - where do you draw the line and what is "live"? A mechanism already exists for locking versions - the reasoning for not using that is to allow automatic security updates - and that is not totally unreasonable.

      Ultimately we will see less layers of dependency, and better judgement about when to introduce a dependency.

      1. Jamie Jones Silver badge

        Re: botnet

        This isn't about using third party libraries, it's about loading/updating them from a server out of your conttol, into your live software.

        What is live? Errm what? How is that debatable? Production code, in use, with real data - as opposed to code in development on someones local computer which no-one else is accessing except maybe other people on the development team.

        It's an easy line. Host your software. Don't be in a situation where your live (sorry, production/in use) code can be altered by someone else outside your team.

        As for 3rd party libraries, I'll happily update packages on my personal machines, after reading changelogs, and if something breaks, I'll try and sort it out, but you can be bloody sure I won't update dependencies on live server code in such a cavalier way, and ESPECIALLY not in an automated way.

        This is nothing unusual. It's standard practice, but more, it's common sense. At my last job, 1000's of people in the company used my teams software that ran on internal servers. We all liked our jobs too much to allow random people in the world to alter our live (running) code at will.

        The fact this distinction isn't obvious to you leads me to believe you are of the younger generation that is responsible for this mess.

        I don't look forward to the future when all us grey beards have retired, and new software is required for new traffic lights/hospital equipment/nuclear power systems/autonomous cars...

        1. Androgynous Cow Herd

          Re: botnet

          "1000's of people in the company used my teams software that ran on internal servers. We all liked our jobs"

          Never mind the code stuff...where is this mythical tech company where 1000s of people liked their job?

          /me updates resume

  6. LDS Silver badge

    When you build a business model on "idealism" and "activism"...

    ... don't complain when it works in ways you don't like. Even if "idealism" and "activism" were only ways to have others work for you for free....

  7. T. F. M. Reader Silver badge

    Any sanctions?

    So, has GitHub (that's MSFT, right?) applied any sanctions to the guy? In my opinion, it's beyond unprofessional, regardless of whether one agrees with his views or not. I'd expect him to be kicked out and get a lifetime ban or something, if it is technically possible.

    As for all the developers, presumably some (many?) of them commercial companies, that pulled this stuff without stopping twice that's essentially a supply chain attack. A trivial one, and, one assumes, trivially preventable. IANAL, and I may be hopelessly naive, but I think some level of "duty of care" is expected to be exercised while producing stuff others use, even if it is "just software".

    And as a related point: I am not a JS expert by any stretch, but I thought that the browser was supposed to cuddle any JS in some kind of sandbox. How come a random piece can do IPC or delete arbitrary files or drop files on the Desktop? Can anyone enlighten me?

    And as an afterthought: does it even work on a Mac?

    1. This post has been deleted by its author

    2. Security nerd #21

      Re: Any sanctions?

      Your browser will download what it is told to from the web server you are connecting to - and that will be independent of any other browser tabs and the versions of javascript modules loaded on those pages.

      The NPM updates would be on to the web server and then distributed to the clients on page load.

      Whether your browser tab will do stuff outside of its sandbox is subject to the browser version, desktop security, and user stupidity (e.g "Click here to win lots of money"). This is regardless of platform - Windows / Linux or Mac

      As other people have noted, doing NPM updates from the web blindly is not good practice - but unfortunately some web developers don't see it that way.

      1. Jamie Jones Silver badge

        Re: Any sanctions?

        No, nothing to do with the browser, this is all server-side javascript. It's the servers that would be comprimised in this case, see my other post above this one.

        1. Missing Semicolon Silver badge
          Devil

          Re: Any sanctions?

          "server-side javascript". There's the vulnerability right there!

          1. albaleo

            Re: Any sanctions?

            Is it the javascript that's the vulnerability or whatever lets the javascript code run? While there may be many headaches with javascript, it's still just a scripting language. Is it not what lets it wipe files that is the problem?

          2. Anonymous Coward
            Anonymous Coward

            Re: Any sanctions?

            It is notable that Dino attempts to address this problem by making the file system off limits ,by default, to server side executables. That's a good idea anyway.

            Running everything in containers is also a good idea - memory, resources, and time permitting.

    3. Jamie Jones Silver badge

      Re: Any sanctions?

      This is a node.js NPM package. I.E. This is serverside jacascript, not browser javascript.

      NPM is "Node Package Manager", like apt, or pkg or deb etc.

      The attacked computer would be the server running the application. The basic problem is the package manager has rhe ability to auto-update dependencies, and most people seem to usr it that way, so the changed files are loaded into someones server application.

      Do npm packages work in browser or only in Node.js

      Node Package Manager Guide: Install npm + Use Commands & Modules

      Maybe Automatically Updating Dependencies Isn’t a Great Idea

    4. Ian Johnston Silver badge

      Re: Any sanctions?

      A trivial one, and, one assumes, trivially preventable. IANAL, and I may be hopelessly naive, but I think some level of "duty of care" is expected to be exercised while producing stuff others use, even if it is "just software".

      I don't think the "just software" matters as much as the "for free, with no contract and no mutual obligations whatsoever". That guy in Nebraska owes nothing to the rest of the edifice.

    5. DomDF

      Re: Any sanctions?

      Im still waiting for GitHub to sanction Russia

    6. bombastic bob Silver badge
      Pirate

      Re: Any sanctions?

      I'd expect him to be kicked out and get a lifetime ban or something,

      If he's lucky, that's all that would happen.

      It could go as far as CRIMINAL CHARGES and/or EXTRADITION.

    7. Elledan

      Re: Any sanctions?

      The hilarious thing about NPM is that it's not just JavaScript. Many dependencies in NPM contain C, C++ and other code that gets compiled into a native binary upon installation.Especially when you use NodeJS, you give up any pretense of sandboxing, as still kind of happens with browser-based JS (gaping security holes like WebGL aside).

      This means that NPM packages should be treated as native code, and you have to ask yourself whether you feel comfortable whatever random code happens to get sucked down along with all other dependencies whenever you run 'npm install'.

      If your habit is to run whatever PythonScript or C or Rust or D you copy blindly off GitHub, StackOverflow, etc., then you're pretty much in the same boat as the NodeJS devs who get their systems wiped or encrypted by malware on a monthly basis because someone YOLO'ed something naughty into the NPM repos again.

  8. heyrick Silver badge
    Mushroom

    I agree with the sentiment, but it's an utterly dick move.

    There's no excuse for randomly trashing files, especially given as one cannot equate Russia with western democracies - just look at how war protesters are being treated. The cops are more than happy to throw young children into cells (but, then, in the country they are stomping over, the army seem more than willing to consider them acceptable targets). As such, you cannot know the thoughts and political opinions of the person who ends up running your code, other than to be pretty certain that if their files end up being replaced by heart symbols, they are quite likely to think westerners are a bunch of hypocritical wankers.

    On a different note, this does highlight the obvious flaw in fetching and using stuff on the internet, as opposed to using known versions hosted locally. There is the argument that using the latest versions will be better against security flaws than older ones, but then again newer versions aren't necessarily better if the author is a complete fucking arsehole that thinks it's okay to wipe people's data. That's malware behaviour.

    Icon because Putin is the main problem, not random citizens.

    1. badflorist

      "Icon because Putin is the main problem, not random citizens."

      Well, it looks like random citizens that develop NPM's are a problem too.

  9. aerogems Bronze badge
    FAIL

    No lessons learned

    I understand the motivation of the developer, even if I don't agree with it... however, this once again exposes a critical weakness in these JavaScript package managers that will likely fall on people who are intentionally blind, deaf, and dumb to the problem. Even if you catch things like this within a couple hours, it likely has spread to tens of thousands, even millions, of unsuspecting users visiting seemingly safe sites. If someone just adds a cryptominer dependency to some popular package way down the chain, by the time anyone catches it, they'll probably have managed to make more than enough money to make it well worth the effort.

    1. martinusher Silver badge

      Re: No lessons learned

      He's actually doing us all a huge favor without realizing it.

      Javascript is a train wreck. Its grown way beyond where its safe or sane for this type of script environment to be. Its OK for throwaway stuff -- it doesn't matter that much if a particular page on a newspaper website crashes the program (like it did this morning), its just a 'reload and avoid the page' job. Its not safe, secure or structured enough to be trustworthy for real work.

      1. Jamie Jones Silver badge
        Thumb Up

        Re: No lessons learned

        "All the traffic lights have turned green at the same time? Just click refresh. Sorry about all the car crashes"

        It's just like the next generations version of the "just switch it off and on again" mentality from the Microsoft era, and as with that, it should never be the philosophy applied to critical systems

        1. irrelevant

          Re: No lessons learned

          Set of temporary traffic lights near me failed just a couple of days ago. Gone are the days of an electromechanical timer and wires strung between them; these have smarts and link via radio. Much more to go wrong. And they did.

          At least they failed to all-red. Chaos on the street though. I let the cops know (driving through a red light is still an offence) but some good samaritan decided to push them all over instead..

  10. Zanzibar Rastapopulous

    One guy...

    Surely one guy shouldn't be able to do this? Sod his criminality or peace protest. People could be running any old crap with no clue they're doing it.

    This should be a proper kick up the security arse.

  11. Anonymous Coward
    Anonymous Coward

    Agent Jess La Croix on the line

    I hope Miller is sweating bullets, this kind of mischief can carry very stiff penalties in good ol' USA

    1. CQCoder

      Re: Agent Jess La Croix on the line

      Objectively, I think it's a a real question as to whether he broke any laws. No one makes people use his software - in fact, the opposite. You had to download it deliberately or as a dependency. Sure, it should be forked and he should be kicked off GitHub, etc permanently....but past that....I dunno.

  12. Henry Wertz 1 Gold badge

    Bad idea

    Bad idea. I support Anonymous' attacks on Russian systems and exfiltration of data. Overwriting systems based on IP-based geolocation? BAD IDEA. A) I'm not for automated destruction of people's systems anyway -- pick your targets. Wiping out some rando's system because they happen to be (maybe) in Russia is seriously a dick move. B) Geolocation IS UNRELIABLE. If this had been in the wild long, the chance is very high you would have overwritten random people's systems that are in no way associated with Russia or Belarus.

    I have 0 complaints about peacenotwar -- a lib that is likely used as a nuisance, but it's non-destructive, doing what it says it does and can be included or not in other projects.

    As for node-ipc... I definitely (as I've said) cannot condone destroying people's systems based on geolocation. Putting a file on the system as peacenotwar does? I'd strongly prefer my libs to do exactly what I ask them to do and nothing else, but this is one of the risks people take from using a system like npm -- near-continuous updates with essentially nobody vetting the packages, or their dependencies, instead waiting until problems show up and taking care of it after the fact.

  13. CQCoder

    Accomplished...nothing..

    Arm chair activists are wusses. The are incredibly selfish. The did this stuff to make themselves feel better. What did he accomplish? Nothing. Well..that's not true. He's sounded the beginning of the end of open source in the corporate work place. I'm fine with this - I've said for a long time it's a serious mistake to use something controlled by small number of people in a corporate application. Angular? Sure. This one guy and his library? Hell no. Why? Because even smart people are stupid. So I sort of want to thank him for kickstarting this.

    Past that...I have no use for him. What was this supposed to do? Awareness? Pretty sure everyone knows about it. Stop Russia? Yeah. Sure. So it accomplished...nothing. Zero. Nada. If anything, he has distracted people from the war. Gratz dude.

    I don't really care if he had the 'right' to do this or not. I'm on the side of 'why did you trust him in the first place?'

    No one will use this library or anything else he writes going forward. He will forever be the guy that is willing to sabotage millions of people's work for....essentially no reason. No one will want to hire him. He has no integrity. He cannot be trusted. That's his accomplishment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022