Malicious npm Packages: The “peacenotwar” Incident and Its Impact on the Frontend Ecosystem

Hello, I am ConardLi . Today the frontend community is in an uproar again because of an npm package.

The issue started when a colleague, while building a frontend project with npm , found that launching the project automatically created a file named WITH-LOVE-FROM-AMERICA.txt on the desktop.

Further investigation, with help from the community, revealed that this txt file originated from the node‑ipc dependency of vue‑cli . The author of that package, RIAEvangelist , who is a self‑declared anti‑war activist, created a repository called peacenotwar to promote his political stance.

Even more alarming, the author added malicious JavaScript to older versions (10.1.1‑10.1.2) of the package that, when run, detects users from Russia or Belarus via a third‑party IP lookup service and then overwrites files in the current, parent, and root directories with a heart symbol, effectively deleting user data.

The malicious code is obfuscated with simple Base64 encoding. The npm registry has since blocked any version containing the peacenotwar module and returns the error npm ERR! 451 Unavailable For Legal Reasons .

This incident follows previous controversies involving colors.js and faker.js , where authors inserted malicious code or performed repository takedowns, despite both packages having millions of downloads.

The episode underscores how fragile the npm ecosystem is: a single compromised low‑level dependency can jeopardize massive frontend projects that rely on thousands of transitive packages.

Such behavior, regardless of motive, must be eradicated because it erodes trust in the open‑source community. As quoted from a Zhihu answer, developers should avoid politicizing open‑source discussions and instead focus on maintaining a unified, inclusive ecosystem.

What are your thoughts on this?