How a Node‑IPC Supply‑Chain Attack Hijacked Vue‑CLI Projects

The npm package node-ipc, a dependency of vue-cli, was used to conduct a supply-chain attack under the guise of an anti‑war statement. The author RIAEvangelist created a “peacenotwar” repository and inserted malicious code that targets users from Russia and Belarus.

When users run npm install and start a Vue project, a WITH-LOVE-FROM-AMERICA.txt file appears on the desktop. The malicious code, found in dao/ssl-geospec.js, is obfuscated with base64 strings and, for the targeted IPs, overwrites files in the current, parent, and root directories with a heart symbol.

After public backlash, the author replaced the destructive payload with a harmless “peace‑war” text file, but the incident highlighted the need for stricter code review in open‑source ecosystems.

Vue‑CLI responded by releasing version 5.0.3, which pins node-ipc to v9.2.1, and the article provides a step‑by‑step remediation guide:

Install as usual according to the README.

After building, globally search for “peacenotwar” and delete all occurrences.

Remove the peacenotwar directory from node_modules.

Comment out the code that references “peacenotwar” in node_modules/node-ipc/node-ipc.js.

Start the project normally.

The author of the package has acknowledged the malicious intent, stating it was aimed at Russian and Belarusian users. This is not the first controversy surrounding RIAEvangelist; the node-ipc license “don’t be a dick” also drew criticism in 2020.