node-ipc maintainer shipped protestware

node-ipc was not taken over by an outsider. Its maintainer published the disputed releases during the first weeks of Russia's 2022 invasion of Ukraine, turning a trusted dependency into political code.

The dangerous behavior was geofenced. Snyk reported destructive file-overwrite behavior for systems resolving to Russia or Belarus, while other versions pulled in peacenotwar, which wrote a desktop message file. The package sat in dependency paths large enough for unrelated projects to inherit the blast radius.

The incident became a reference point for protestware because the code was intentional, public, and shipped through the official npm package. That makes it different from a credential theft compromise, but not harmless: consumers still received behavior they did not consent to.

The record keeps affected versions explicit and treats download counts as exposure, not confirmed file-destruction victims. The trust failure was the same one supply-chain records are meant to show: dependency updates execute with the user's authority.

Motive

Disruption Protest

Attribution

Maintainer

Cause

Sabotage

Transitive

No

Actor

Author

• peacenotwar module sabotages npm developers in the node-ipc packagesnyk.io
• Embedded Malicious Code in node-ipcgithub.com
• Sabotage code added to popular npm package wiped files in Russia and Belarusarstechnica.com