Skip to content
← Blog

Attack post-mortem

The node-ipc protest-ware incident

Veln Team3 min read

In March 2022, shortly after Russia's full-scale invasion of Ukraine, the maintainer of node-ipc — an npm package with several million weekly downloads — published versions that contained code designed to delete files on computers with IP addresses geolocated to Russia and Belarus.

This was a new category of supply chain incident: not an external attacker compromising a package, but a maintainer intentionally weaponizing a package against users in a specific country. It forced a direct confrontation with questions about what "malicious" means in the context of open-source software.

Background: node-ipc

node-ipc is an npm package for inter-process communication in Node.js. It is a dependency of vue-cli, the official scaffolding tool for Vue.js projects. Through this relationship, any developer who ran vue-cli to create a new Vue.js project would install node-ipc as a transitive dependency — including developers with no direct knowledge of node-ipc's existence.

The package's maintainer, Brandon Nozaki Miller (known as RIAEvangelist on GitHub), had a long track record as an npm publisher.

What the malicious versions did

Miller published several versions of node-ipc with varying payloads. The most impactful version included code that:

  1. Checked the user's public IP address using an external geolocation API
  2. If the IP geolocated to Russia or Belarus, attempted to overwrite files in the user's home directory with a heart emoji ()
  3. Created a file called WITH-LOVE-FROM-AMERICA in the same directory

The payload was intended to be disruptive to Russian users as a protest against the war. The effect on actual Russian users is unclear — by the time the payload was widely distributed, many Russian developers had already switched to VPNs or were using IP addresses that didn't geolocate to Russia.

The effect on non-Russian users who happened to geolocate unexpectedly (VPN users, users on shared corporate networks with Russian IP ranges) was collateral damage.

Why this was different from the colors incident

The colors.js incident (Section 19) was disruptive but not destructive — infinite loops cause crashes but don't delete data. The node-ipc payload was intentionally destructive. It overwrote files.

More importantly, the payload was geographically targeted. This introduced a new category of supply chain risk: a package that behaves differently based on who you are. The same install command produces different behavior depending on the user's IP address.

The reaction

The npm security team removed the malicious versions and published a security advisory. The Vue.js team removed node-ipc as a dependency of vue-cli and replaced it with an alternative.

The reaction in the open-source community was divided. Some argued that a maintainer has the right to control their software and protest as they see fit. Others argued that intentionally shipping destructive code to users who trusted you is a supply chain attack regardless of motivation.

From a technical security perspective, the distinction doesn't matter much: the mechanism (a maintainer publishing unexpected behavior to millions of installs through a trusted channel) is identical whether the motivation is political, financial, or malicious.

How Veln would have handled it

The geolocation check. In the canary sandbox, the package would have attempted an outbound HTTP request to a geolocation API. This network call is recorded but blocked. The sandbox report would show: "Package attempted outbound connection to ipapi.co during install." This is unusual for a utility package and would trigger a WARN verdict.

File write operations. The sandbox records all filesystem writes outside the package directory. Attempting to write to the user's home directory during an install is the specific behavioral signature that triggers a forced WARN.

The AST diff. Comparing the malicious version to the previous safe version, Veln's diff analyzer would have flagged: new HTTP request to an external geolocation API in install-time code, new file write to a home directory path, new conditional logic based on geolocation result.

Geopolitically-targeted supply chain attacks use the same mechanism as criminal ones. Veln's behavioral analysis catches the behavior, not the motivation.

More in Attack post-mortem

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account