Even if the deliberate and dangerous
Posted: Mon Feb 10, 2025 6:02 am
The code has undergone several changes since its inception and should be considered extremely dangerous. To highlight its potential danger, Miller encoded his code changes in base-64 to make it difficult to detect the problem by simply reading the code.
In fact, Node-ipc is now unusable. But that's easier said than done. It's present in many programs and is used for local and remote interprocess communication (IPC) on Linux, Mac, and Windows systems. It's also used in the very popular vue-cli Javascript framework for building web user interfaces. It's the one that this malware used to destroy a large number of systems.
“ act of the RIAEvangelist maintainer is perceived by some as a legitimate act of protest, how will this reflect on his future reputation and contributions to the developer community? Can he ever again be cameroon mobile database not to take similar or even more aggressive actions against any projects he is involved with in the future?” asked Liran Tal, the Snyk researcher who discovered the issue. Miller himself, defending his package on GitHub, said: “It’s all public, documented, licensed, and open source.”
But what if another maintainer had done something similar and left no such message? And why was the dangerous code hidden, preventing users from making an informed decision?
In any case, humans are notoriously bad at reading documentation. Besides, as Sophos senior threat researcher Sean Gallagher pointed out on Twitter, anyone who just adds code to their production systems on their own is asking for trouble. “If you’re live-installing dependency patches that you don’t have quality control over, you’re not doing SecOps,” he said.
In fact, Node-ipc is now unusable. But that's easier said than done. It's present in many programs and is used for local and remote interprocess communication (IPC) on Linux, Mac, and Windows systems. It's also used in the very popular vue-cli Javascript framework for building web user interfaces. It's the one that this malware used to destroy a large number of systems.
“ act of the RIAEvangelist maintainer is perceived by some as a legitimate act of protest, how will this reflect on his future reputation and contributions to the developer community? Can he ever again be cameroon mobile database not to take similar or even more aggressive actions against any projects he is involved with in the future?” asked Liran Tal, the Snyk researcher who discovered the issue. Miller himself, defending his package on GitHub, said: “It’s all public, documented, licensed, and open source.”
But what if another maintainer had done something similar and left no such message? And why was the dangerous code hidden, preventing users from making an informed decision?
In any case, humans are notoriously bad at reading documentation. Besides, as Sophos senior threat researcher Sean Gallagher pointed out on Twitter, anyone who just adds code to their production systems on their own is asking for trouble. “If you’re live-installing dependency patches that you don’t have quality control over, you’re not doing SecOps,” he said.