CVE-2022-23812

Name of the Vulnerable Software and Affected Versions node-ipc versions 10.1.1 through 10.1.2

Description The issue concerns malicious code embedded in the node-ipc package, targeting users with IP addresses located in Russia or Belarus. This code overwrites files with a heart emoji. The package has around a million downloads per week and is used as a dependency by 354 packages, including vue-cli. All projects with node-ipc in their dependencies are also affected. The malicious code is activated with a 25% probability and affects systems with IP addresses from Russia or Belarus.

Recommendations For node-ipc versions 10.1.1 through 10.1.2, update to version 10.1.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of the node-ipc package until a patch is available. Restrict access to the node-ipc package to minimize the risk of exploitation. Avoid using the node-ipc package in projects that require high security standards until the issue is fully resolved.