Hello, welcome to the Friday, March 18th, 2020 edition of the Sandsenert Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida.

The war in Ukraine is still dominating the news and also having its effect on network security topics.

For example, the developer of the Node IPC package decided to add a new dependency to the module called Peace Not War,

which apparently is overriding files of users that are located in Belarus or

Russia. It started all harmless enough with a warning message, but then later the code was

modified again and now overrides files four systems located in Belarus and Russia with a simple heart symbol.

Geolocation is done by IP address and of course with some of the ambiguities in geolocation.

This could potentially also affect users outside of the targeted area.

What makes that also so significant is that the Node IPC package is used by the Vue CLA package.

And Vue, of course, Vue.js' major framework, very popular by many developers.

So this is how this particular alteration was included in a number of projects.

And the Peace Not War module apparently was downloaded about 30,000 times at the time when SNCC wrote up a great blog post

with all the details and all the different modifications that these modules went through.

The note IPC package has now been marked as malicious, so hopefully that'll prevent any further

fallout here.

But since it is an important dependency,

marketing as malicious may also cause other things to break.

I wouldn't be surprised to see more packages published like that,

in particular since this peace, not war package is out there now.

There is sort of a template

to follow in order to basically do the same thing that Note IPC did here.

...