My entire PC got wiped Do not download

This is disgusting and thoughtless, because it accomplishes nothing but alienating Russian or Belarusian users. It doesn’t attempt to spread the truth or convince people that yes, Russian forces really are committing war crimes. Killing children.<p>I would love for pro-“special operation” Russians to find out why Ukrainian hospitals in the war zone keep their lights off at night. Hint: so they won’t be targeted. Spreading those truths could have done some good, but this… this is merely malicious.

Me prophetically 2 days ago<p>&gt; software developers are smart enough to not download crap from the internet, but they will gladly run npm install with full user privileges.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30684416" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30684416</a>

regardless of the goals, malware is malware.<p>I think there&#x27;s an overton window here which is getting pushed. People need to stop unilaterally imposing their own form of punishment to a group of people, just to make a political statement.<p>It was bad with the BLM saga, but apparently at the time, it was too politically incorrect to say. It is still bad now that the russian invasion is causing an even wider and larger number of such malware.<p>Make political statements with your government, or do it as a standalone organization. Put ads in the papers, media etc. Don&#x27;t use an unrelated platform, such as software distribution platforms to make a political statement - esp. if it harms the end user in some ways. There&#x27;s a name for such action - it&#x27;s called terrorism. I would hope that the people living in civilized society can see that.

I have no idea who or what to believe, but there is a quote from someone claiming to be a NGO documenting war crimes that has had their records wiped by this <a href="https:&#x2F;&#x2F;github.com&#x2F;IdealismIncinerator&#x2F;node-ipc&#x2F;blob&#x2F;master&#x2F;README.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;IdealismIncinerator&#x2F;node-ipc&#x2F;blob&#x2F;master&#x2F;...</a>

This package should be immediately removed from the npm repository and the developer should be permanently banned from publishing npm packages.<p>If you purposely distribute malware you don&#x27;t get to be part of the package registry as you have proven you can&#x27;t handle the responsibility.

Next time someone asks me why you are writing a function yourself instead of using a library, I will show them this.

From github tos:<p>&gt;We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure<p>Why are they still hosting this? It would seem to violate the CFAA and therefore be unlawful

The package uses <a href="https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;peacenotwar" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;peacenotwar</a> to deliver the message.<p>But I don&#x27;t understand why&#x2F;how it would wipe the PC. Unless I missed something, the code from the package does not delete anything.<p>&gt; This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia&#x27;s aggression that threatens the world right now.<p>Nah, the author knew it&#x27;s would be controversial. The first sentence is there as an excuse.

This is brutal. I can only imagine the indignation felt if US computers were wiped because of the 2003 invasion.

What the hell are NPM and GitHub doing, are they letting this malware exist since it&#x27;s for the &quot;right&quot; cause? I understand where this guy&#x27;s heart is at but this is wrong on so many levels. I reported this to both of them this morning, and they are still up, I can&#x27;t be the only one. If they don&#x27;t take it down then that is a serious trust issue there, and represents a new reality where people will willingly host malware if it&#x27;s for the correct political cause.<p>I forked the repo to make the README.md more accurate and satirical (and removed the actual malicious code), but sadly I can&#x27;t make a PR since he&#x27;s locked down the repository to only contributors.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;4oo4&#x2F;cyberwarfareispeace" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;4oo4&#x2F;cyberwarfareispeace</a><p>But seriously GitHub and NPM, get your shit together.<p>EDIT: Finally got a response back from NPM and GitHub that they&#x27;re investigating.

At least with Faker.js, it didn&#x27;t act as malware. Simply a deleted project. That was a more respectable protest. This... well it&#x27;s certainly an attention-grabber. But if he wants people to be sympathetic to his message, good luck with that now.

Have the creator thought that a Russian or a Belorussian person who use this software might are against the government or their country?<p>Blaming citizens who are mostly uninformed and mislead due to information control, and have little real power to change what&#x27;s happening, doesn&#x27;t help at all to the current situation.

People frequently forget that the actions of one&#x27;s government do not necessarily represent an individual&#x27;s standpoint. Go after high-level officials and oligarchs, but do not go after common folk - they&#x27;ve already lost enough.

Microsoft maintains GitHub. This is water on their mill. Use solid, corporate backed dotnet, not random soyware. Next you know FOSS is dead in the water.<p>If one random supporter of the current thing can cause such a mayhem, imagine what can happen to any of the projects in 2-3 years: you run update and find your sever wiped out because capitalism is bad or indigenous people of Tuvalu lost a fishing boat or whatever.<p>On the longer run this is the end of community projects in mission critical applications.<p>You are one brain damaging soy latte away from total distaster.

The Issues for node-ipc have devolved so much, and it&#x27;s completely hilarious and entertaining to read.

I want to mitigate risks like this. Is there a way to limit access to certain directories only while using certain software?

If war is bad why fight a cyberwar as a civillian?

The node-ipc supply-chain attack also made its way into Unity, albeit in the milder &quot;leave a file on the desktop&quot; form:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;hybridherbst&#x2F;status&#x2F;1504223953627369480" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;hybridherbst&#x2F;status&#x2F;1504223953627369480</a>

You can mitigate against those kinds of attacks using npm&#x27;s `--before` option:<p><pre><code> npm i --before=`date -I -d &#x27;-5 days&#x27;` </code></pre> It will only install packages released before the specified date.

Check out the other &quot;Issues&quot; there, its going wild!

this only gives the kremlin the ability o say &quot;The West is out to get you&quot;

Thanks for all the free pizza, and thanks to all the police that showed up to SWAT me. They were really nice fellas.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;node-ipc&#x2F;commit&#x2F;088a1ca4d5fe5d175c43ee41718b72b017f6f6a4" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;node-ipc&#x2F;commit&#x2F;088a1ca4d5f...</a>

Checking source of module all it does is make a file in desktop. That the issue opener has a troll face as avatar doesn&#x27;t help in taking their claim serious.

My guess is that the npm package itself got hijacked? The latest version on npm is v11.1.0 (updated 3 days ago) while master on GitHub is v10.1.0 (updated 9 months ago).