Supply Chain Poisoning in node-ipc: Analysis, Impact, and Mitigation

Recently, many developers reported that the vue-cli dependency node-ipc creates an empty file named “WITH-LOVE-FROM-AMERICA.txt” in various locations; the package is downloaded millions of times weekly, affecting both npm and Yarn users.

Supply‑chain poisoning under the banner of anti‑war?

Further investigation revealed that the author of node-ipc , RIAEvangelist, had submitted malicious code that checks if a host’s IP originates from Russia or Belarus and, if so, overwrites files with a heart symbol. The author created a separate repository called peacenotwar to promote his anti‑war stance.

The malicious source can be seen at https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js . TC39 representative and web‑development engineer He Shijun analyzed the code on Zhihu, noting that it is compressed and uses base64‑encoded strings to detect user IPs and attempt to replace files in the current, parent, and root directories for Russian and Belarusian IPs.

Although the author later removed the code, He Shijun considers this a severe supply‑chain attack that damages trust in the open‑source ecosystem, regardless of the author’s political motives.

OpenHarmony project committee director Luo Wei also emphasized that open‑source software supply‑chain security is a critical issue, likening it to the seriousness of the Log4j incident and suggesting potential legal implications.

Developers have proposed remediation steps: after a normal install, globally search for “peacenotwar” and delete all occurrences, remove the peacenotwar directory under node_models , and comment out the import of “peacenotwar” in /node_modules/node-ipc/node-ipc.js to restore project functionality.

Vue‑cli released version 5.0.2 ( https://github.com/vuejs/vue-cli/blob/dev/CHANGELOG.md ) which locks node-ipc to v9.2.1. The affected malicious version was v10.1.3, which has been removed from npm, while the file “WITH-LOVE-FROM-AMERICA.txt” was introduced in v11.0.0.

Some developers criticize Vue’s response, urging the team to add a popup warning on the official site, deprecate all infected vue-cli packages, and provide upgrade alerts for users.

Vulnerable Node.js ecosystem

This incident highlights the fragility of the JavaScript/Node/NPM ecosystem. In October last year, the npm package ua-parser-js was hijacked to include mining scripts, and in February the npm registry suffered a supply‑chain attack with the malicious radar-cms package stealing Kubernetes credentials.

NPM modules are widely used and have complex dependency graphs; a compromised popular package can propagate malicious code at scale, especially when package code does not have to match the linked GitHub repository.

He Shijun suggests that solving these problems may require language‑level mechanisms such as package‑level permission controls (beyond Deno’s coarse‑grained model) or TrustedType‑like APIs, noting that this goes beyond library or framework governance.

Luo Wei proposes that open‑source software adopt industry‑level risk‑management practices similar to those in construction or banking, given its profound global impact.

Conclusion

Developers comment that “you either fork or tolerate” after reading the open‑source license. The incident raises questions about whether open‑source organizations should publicly take political stances and how developers should position themselves when the community “takes sides.”