The western mob declared being Russian is bad, and node-ipc's author followed like an obedient robot to hurt innocent bystanders:
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji.
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-23812
Further technical write-up here: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c
This is downloaded automatically by package managers a million times per week. Now virtue signaling is not only dangerous in real life, with censorship, oppression, starvation, and open assault being common threats to people who are not part of the mob, now a simple update may crush your digital setup as well.
Not only is this malicious nonsense based on modern western mob rule which rewards virtue signaling, it's also completely pointless. It wouldn't even benefit anyone if it were exactly like the governments claim. Pure egotism.
Where is the compassion for ordinary Russians and Belarusians? This attack hurts normal people most.
Not like military won't have backups…
Geolocation is also not perfectly accurate, and many people need VPNs to bypass censorship and oppression, leading to even more 'collateral damage'.
This teaches us once more that we need to remove our modern tech dependency:
- There is no way to read every single changelog/commit of every single upstream package. Especially not in the JS world. But you cannot read every single line of code in e.g. Debian either.
- Therefore, open source is not the savior it's made out to be. It only allows for easier analysis after the fact. Almost 100% of the open source world runs on package managers. One could add increasing numbers of signers, but chances are they're close.
- Not updating is not a solution either. You can specify versions and update on your own terms, which I recommend you do, but:
a. You cannot control your upstream, which has hundreds, if not thousands, of dependencies down the line.
b. You will eventually have to update to get the latest security fixes, or even just for compatibility, as life-cycles are increasingly shortened.
There is no trust in tech anymore. All taboos have been broken. Tech used to be focused on tech, with unrelated matters not affecting code or behavior.
The only real solution? Staying offline where possible.
You can use an offline Win 3.1 box just fine if it serves your needs. Or a TRS-80 (give it a try: http://trsjs.48k.ca/trs80.html).
Most people don't need anything special. A laptop from 20y ago may serve you just fine. (Although software increasingly turned hostile and minimum versions got bumped up high.)
You don't have to be in the cult of consumption.
Ideally, we'd only connect strictly maintained boxes to the internet, like Tails (https://tails.boum.org/). Even then, a brief glance at the list of affiliated organizations shows you it's politically connected to the Zeitgeist as well. But so far, Tails has not betrayed its users.
I'm not even opposed to judgement - it's more honest than keeping a fake peace. You have to draw the line somewhere and stick to it, however high it may be.
Child abuse used to be one such line in the sand; today it's being eroded.
Being Russian? Now that's unacceptable, according to the modern mob.
Take care.
