From thehackernews.com
In what’s an act of deliberate sabotage, the developer behind the popular “node-ipc” NPM package shipped a new tampered version to condemn Russia’s invasion of Ukraine, raising concerns about security in the open-source and the software supply chain.
Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behavior by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji.
Node-ipc is a prominent node module used for local and remote inter-process communication (IPC) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads.