GLOBAL – On March 15, in an apparent act of protest against the Ukraine crisis, a supply chain attack was created which affects users of the popular JavaScript front-end development framework Vue.js and the Unity Hub. The attack creates a file with an antiwar message and introduces security vulnerabilities, with an earlier version corrupting user files on machines with Russian and Belorussian geolocations, replacing characters with heart emoji.

This was the result of tampering with the framework’s nested dependencies, node-ipc and peacenotwar by the maintainer of node-ipc, Brandon Nozaki Miller, nicknamed RIAEvangelist. Nested dependencies are additional packages that pieces of software depend upon and automatically download. Using dependencies is a very normal part of the way open source applications and tools work, but one that can be exploited to bring vulnerabilities onto unsuspecting users’ machines.

Liran Tal, Director of Developer Advocacy at Snyk, said: “While we are firmly opposed to what’s happening in Ukraine, intentional sabotage such as this undermines the global open source community. The impact of supply chain security incidents continues to demonstrate the need to properly manage and react swiftly to the risks with open source dependencies.”

Build up to the attack

The story of this attack shows the potentially very disruptive and effective impact supply chain attacks can have. On March 8, the package peacenotwar was published on npm, a central repository for JavaScript developers. The package was designed to simply show an anti-war message on users’ desktops. On its own, it had very little impact and few downloads.

That changed dramatically on March 15, when the maintainer, RIAEvangelist, added peacenotwar as a dependency to another package he had control over, node-ipc. Node-ipc is a very popular communications module which is used – and automatically downloaded – by many other popular packages, including Vue.js, and specifically its command line tool, Vue.js CLI through its package @vue/cli. The release also explicitly adds a dependency on colors@* which pulls in intentionally vulnerable source code, following the actions of another rogue maintainer.

Liran Tal concludes: “With concerns about future code updates that may put users at risk, we recommend avoiding the node-ipc npm package entirely. If this npm package is bundled in your project as part of the application you are building, then we recommend that you use the npm package managers feature to override the sabotaged versions altogether and pin down the transitive dependency to known good.”

If you are looking for more information about this vulnerability, including in-depth code analysis, read Liran Tal's blog post here. In addition, Snyk is available to answer questions about this vulnerability and its possible consequences. If you are interested in this, you can send a message to alex.blake@archetype.co.