This issue has turned into an absolute embarrassment<p><a href="https://github.com/RIAEvangelist/node-ipc/issues/233" rel="nofollow">https://github.com/RIAEvangelist/node-ipc/issues/233</a><p>People like the maintainer are doing nothing but harm to the mutual trust that exists in the open source community.
What an absolute dumpster fire. These issues will end harming decades old traditions of open source collaboration and hacking.<p>This is <i>not</i> the way.
The real reason this shouldn't be allowed is because the internet is absolutely not secure enough for citizens from one country to start attacking other countries. You think it's funny to wipe a Russians hard drive with a heart but I garuntee what they do back out of spite won't be. The very epitome of throwing rocks from glass houses.
Sounds like a fake story. What idiots would only store their war crime evidence database inside the aggressor state and not keep backups of it abroad?<p>If true, this arrangement was pretty much doomed to fail anyway. node-ipc did a good thing by notifying them of their folly before the Belarus KGB or Russian FSB did.
For the TL;DR types:<p>>We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.<p>>Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.<p>>Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Profesionally, our counsel suggested filing criminal charges federally and it's likely we'll be proceeding this way.
You can mitigate against those kinds of attacks using npm's `--before` option:<p><pre><code> npm i --before=`date -I -d '-5 days'`
</code></pre>
It will only install packages released before the specified date.
The maintainer, riaevangelist, appears to be breaking federal hacking laws by including the "peacenotwar" malware. They falsely claim it only shows a message on the users desktop, however if actually recursively overwrites the users files.<p><a href="https://github.com/RIAEvangelist/node-ipc/issues/319" rel="nofollow">https://github.com/RIAEvangelist/node-ipc/issues/319</a><p>The maintainer has taken to banning anyone pointing this out. I don't believe this is someone with good intentions. Riaevangelist may have had their account stolen. Either way they are clearly operating in support of Russia under a false flag, an increasingly common and complex issue.<p>Given the supposed criminal nature of these acts GitHub and other serves must step in to remove the offending commits, releases, and maintainers. Allow someone else to fork it.
This issue sucks. Software packages should not intentionally cause data loss.<p>However, the person who filed this should have had better backups.<p>Edit: ok, re-read it. They have a process for backups but the invasion interrupted the process. That sucks.