In March 2022, the maintainer of a popular npm package used that trust to ship destructive code straight into the software supply chain. CVE-2022-23812 tracks a set of malicious commits pushed to node-ipc, a Node.js module for local and remote inter-process communication that pulls roughly a million downloads a week. The tainted releases contained logic that checked a machine's geolocation and, if it resolved to Russia or Belarus, attempted to overwrite files on disk — a payload security researchers quickly labeled sabotage code and the incident that popularized the term protestware. Because node-ipc sits deep in the dependency tree of widely used tooling, the blast radius extended far beyond anyone who had deliberately chosen to install it.
This case remains one of the clearest examples of why supply chain security teams can't treat "trusted maintainer" and "safe code" as synonyms. The vulnerability wasn't a bug that slipped past review — it was intentional behavior added by the person with legitimate publish rights to the package.
What Happened: CVE-2022-23812 in node-ipc
node-ipc is authored and maintained by developer Brandon Nozaki Miller (known online as RIAEvangelist). In the days following Russia's invasion of Ukraine, Miller pushed commits directly to node-ipc that introduced two pieces of unrequested functionality. The first checked the host machine's IP-based geolocation against a list that included Russia and Belarus; if matched, it recursively wrote a heart-and-peace-sign character over the contents of every file it could reach on the disk, corrupting data with no way for the victim to recover it short of backups. The second, added shortly after, printed anti-war protest messages to the console.
Because node-ipc had no version pinning discipline in many downstream projects and npm's default ^ semver range allowed automatic minor/patch updates, the malicious versions propagated silently into countless build pipelines the moment npm install or npm ci ran against an unlocked lockfile. Reports at the time noted that node-ipc is a transitive dependency reachable through popular front-end tooling such as vue-cli, meaning developers with no direct relationship to node-ipc, and no reason to suspect it, could pull the destructive code into CI runners, build servers, and developer laptops.
The npm ecosystem had seen protestware gestures before — console warnings, license-text stunts — but this was the first time a maintainer weaponized a mainstream package to destroy user data based on inferred nationality, indiscriminately hitting anyone whose network egress happened to geolocate to the targeted countries, including people with no connection to the war.
Affected Versions and Components
Per the GitHub Security Advisory associated with CVE-2022-23812, the destructive payload shipped in:
- node-ipc 10.1.1 — introduced the geolocation check and disk-overwrite routine.
- node-ipc 10.1.2 — retained the destructive logic but obfuscated the code (renamed variables, encoded strings) to make it harder for the community to spot and strip out after the first version drew scrutiny.
The behavior was removed in node-ipc 10.1.3, which npm and the security community treat as the patched line going forward. It's worth noting, though, that 10.1.3 and the version immediately after it added a new dependency called peacenotwar, a module from the same author that prints an anti-war notice to the console/desktop. That follow-up package is not destructive, but it illustrates that the maintainer's approach to unilaterally injecting unrequested behavior into a widely depended-upon package didn't fully stop with the CVE fix — it's a useful reminder that "patched" doesn't always mean "back to boring, predictable behavior."
Any project — directly or transitively — that resolved to node-ipc 10.1.1 or 10.1.2 between early and mid-March 2022 should treat that build, container image, or artifact as potentially compromised, particularly if any build agents or contributors had IP addresses geolocating to the targeted regions.
CVSS, EPSS, and KEV Context
CVE-2022-23812 carries a CVSS v3.1 base score of 9.8 (Critical), reflecting an unauthenticated, low-complexity path to full loss of confidentiality, integrity, and availability once the malicious package version is resolved into a build — consistent with a vector where a network-installed dependency can execute arbitrary destructive file operations with no user interaction required.
Unlike many critical CVEs, this one doesn't fit the classic "attacker exploits a remote service" mold, which affects how you should read its risk scoring. There's no remote attacker probing an endpoint; the "exploitation" is simply installing (or having previously installed) a poisoned version of a legitimate package. That distinction matters for EPSS interpretation too — exploitation-probability scoring models built around internet-facing, attacker-triggered vulnerabilities don't map cleanly onto a maintainer-initiated supply chain sabotage event, and CVE-2022-23812 has not appeared on CISA's Known Exploited Vulnerabilities (KEV) catalog, since KEV tracks active exploitation of a vulnerability by external threat actors rather than intentional maintainer-injected payloads. The absence from KEV shouldn't be read as "low severity" — it reflects a gap in how exploitation-tracking programs categorize protestware and other insider-sourced supply chain incidents, not a judgment about the damage this specific package could do to a matched target.
Timeline of the node-ipc Protestware Incident
- March 7-8, 2022 — RIAEvangelist publishes node-ipc 10.1.1, adding the geolocation check and destructive file-overwrite routine; 10.1.2 follows quickly with obfuscated versions of the same code after early community pushback.
- Mid-March 2022 — Developers and security researchers flag the unusual behavior in GitHub issues and on social media, noting unexpected network calls to geolocation services and file corruption in testing environments. Coverage from outlets including BleepingComputer and analysis from Snyk brings the issue to mainstream security attention, and the term "protestware" enters wider use.
- March 2022 — GitHub, acting as a CVE Numbering Authority, publishes a Security Advisory and reserves CVE-2022-23812 to formally track the malicious node-ipc releases.
- node-ipc 10.1.3 is released, removing the disk-wiping payload. The
peacenotwarmodule is introduced as a new, non-destructive dependency in subsequent releases. - Following weeks — npm, package-lock auditing tools, and security vendors update advisories and scanning signatures; downstream maintainers of affected projects like vue-cli publish guidance urging consumers to pin known-good versions.
Remediation Steps
If your dependency tree touches node-ipc, treat this as a supply-chain incident-response exercise, not just a version bump:
- Identify exposure. Run
npm ls node-ipc(or the equivalent for yarn/pnpm) across every repository, and check lockfiles and CI build logs for any resolution to 10.1.1 or 10.1.2 during the affected window. - Pin to a safe version. Upgrade to node-ipc 10.1.3 or later, or pin to a pre-10.1.1 release if you don't need the newer functionality, and enforce exact version pinning (avoid bare
^/~ranges) for this package going forward. - Audit historical builds and artifacts. Any container image, build cache, or deployment artifact produced while a poisoned version was resolved should be rebuilt from a clean dependency set rather than trusted as-is.
- Check for data corruption. If any build or developer machine geolocated to Russia or Belarus during the exposure window and resolved the malicious versions, inspect the filesystem for the heart-character overwrite pattern and restore from backups where needed.
- Enforce lockfile integrity in CI. Use
npm ciwith committed lockfiles, enable registry integrity checks, and consider a private registry proxy/mirror that lets you vet and pin transitive dependencies before they reach build agents. - Add provenance and SBOM checks. Generate a software bill of materials for affected builds and diff dependency trees over time so a maintainer-injected change like this surfaces immediately rather than after public disclosure.
- Review update policies for high-fanout packages. Packages with large dependent graphs — like node-ipc — deserve extra scrutiny before auto-updating, regardless of how long the maintainer has been trusted.
How Safeguard Helps
CVE-2022-23812 is the canonical case study for why software supply chain security has to include behavioral and provenance monitoring, not just CVE-database lookups. A traditional vulnerability scanner looking for known-bad code patterns wouldn't have caught node-ipc 10.1.1 on day one — it was a brand-new, maintainer-authored release with no prior CVE to match against.
Safeguard is built for exactly this gap. Our platform continuously monitors your dependency graph — including transitive packages like node-ipc buried several layers deep — for anomalous release behavior: unexpected new versions from unusual publish patterns, suspicious code changes (like unrequested filesystem or network access added to a minor version bump), and drift between what a lockfile says you're running and what actually resolves in CI. When an npm package like node-ipc ships sabotage code or other protestware-style payloads, Safeguard flags the change before it reaches a build agent, correlates it against emerging advisories and CVE data as they're published, and gives teams a clear remediation path — pin, rollback, or rebuild — before a single line of destructive code executes.
Beyond detection, Safeguard helps enforce the guardrails that would have blunted this incident from the start: lockfile integrity verification, dependency pinning policies for high-fanout packages, SBOM generation for every build, and provenance attestation so you know a given artifact was built from vetted, unmodified sources. Supply chain trust failures like CVE-2022-23812 don't require a sophisticated exploit chain — they require a blind spot in how you monitor the packages you already trust. Safeguard closes that blind spot.