Press Release
A well-known npm package deleted files to oppose the situation in Ukraine.
In opposition to the continuing Russo-Ukrainian War, the creator of the well-known npm package “node-ipc” released corrupted versions of the library this month.
On developers’ computers, newer versions of the “node-ipc” programme started overwriting all files, erasing all data, and creating new text files containing “peace” messages.
Node-ipc is a well-known package used by important libraries like Vue.js CLI, with over a million downloads each week.
Protestware: Open source is affected by the continuing conflict in Ukraine
For users based in Russia and Belarus, specific versions (10.1.1 and 10.1.2) of the enormously popular “node-ipc” package were discovered to include malicious code that would overwrite or destroy arbitrary files on a system. These variations are monitored by CVE-2022-23812.
On March 8th, software engineer Brandon Nozaki Miller, alias RIAEvangelist, published two open source software packages on npm and GitHub called peacenotwar and oneday-test.
The fact that the packages primarily send a “message of peace” on the Desktop of any user who instals them suggests that the creator originally developed them as a way of peaceful protest.
According to RIAEvangelist, “This code serves as a non-destructive illustration of why controlling your node modules is vital.”
It also acts as a peaceful protest against Russia’s aggression, which currently threatens the entire world.
Although also maintained by RIAEvangelist, some npm versions of the well-known “node-ipc” library were seen unleashing a harmful payload to erase all data by overwriting files of users installing the package. This caused havoc.
It’s interesting to note that the malicious code, which was launched by the developer as early as March 7th, would read the system’s external IP address and would only overwrite files to remove data for users residing in Russia and Belarus.
To hide its true intent, the code in “node-ipc,” more notably in file “ssl-geospec.js,” uses base64-encoded strings and obfuscation techniques:
According to a condensed version of the code released by the researchers, the code will effectively delete all data on a machine for users located in Russia or Belarus by replacing all file contents with a heart emoji.
Additionally, because the peacenotwar module is included in “node-ipc” versions 9.2.2, 11.0.0, and those higher than 11.0.0, impacted users noticed “WITH-LOVE-FROM-AMERICA.txt” files appearing on their Desktop with “peace” messages:
Snyk, an open source security company, researchers also observed and investigated the malicious activity:
According to Liran Tal, Director of Developer Advocacy at Snyk, “at this point, a very clear abuse and a catastrophic supply chain security incident will occur for any system on which this npm package will be run, if that matches a geo-location of either Russia or Belarus.”
Users of Vue.js are alarmed by a supply chain attack.
The well-known JavaScript front-end framework “Vue.js” also depends on “node-ipc.” However, prior to this incident, “Vue.js” was configured to collect the most recent minor and patch versions rather than pinning the versions of “node-ipc” dependent to a safe version, as is clear from the caret () symbol: As a result, when several users were surprised, they urgently pleaded with the project’s maintainers to pin the “node-ipc” dependent to a safe version.
In addition, not only Vue.js but other open source projects have been harmed by this sabotage, as noted by BleepingComputer.
Other project maintainers are being cautioned by developers Lukas Mertens and Fedor to make sure they are not using a malicious version of “node-ipc”:
Researchers at Snyk believe that ‘node-ipc’ versions 10.1.1 and 10.1.2, which blatantly harm the system, were removed by npm within 24 hours of being published.
But take note that “node-ipc” versions 11.0.0 and higher are still accessible on npm. Additionally, the peacenotwar module that generates the aforementioned “WITH-LOVE-FROM-AMERICA.txt” files on the desktop is still present in these versions.
As a result, if you used the “node-ipc” library to build your application, be sure to pin the dependency to a secure version, like 9.2.1 (it turns out that 9.2.2 isn’t completely safe either).
Community outraged by incident in open source
This is the second significant act of self-sabotage by an open source developer this year, following the BleepingComputer-first reported “colours” and “fakers” episode from January.
The creator of “colours,” Marak Squires, received conflicting responses from the open source community because of his method of protest, which involved damaging countless apps by inserting infinite loops inside of them.
But the action of RIAEvangelist, who manages over 40 packages on npm, has come under fire for going beyond “peaceful protest” and aggressively placing damaging payloads in a well-known library without informing honest users.
A GitHub user described it as “a massive blow” to the open source community’s collective confidence.
“This behaviour is just unacceptable. War is undoubtedly a dreadful thing, but that doesn’t justify certain actions, such as placing weird files in desktop folders and erasing all files for Russia/Belarus users. You’re a f***, go to hell. You just managed to destroy the open-source community. You feeling better, @RIAEvangelist?” another enquired.
Some criticised the “node-ipc” developer for repeatedly altering and removing earlier comments on the forum in an effort to “clean up” his tracks [1, 2, 3].
“Even while some people may view maintainer RIAEvangelist’s purposeful and risky action as a justified form of protest. How does that affect the maintainer’s standing and involvement in the developer community in the future? “Snyk’s Tal queries.
Before including “node-ipc” in their applications, developers should use caution because there is no guarantee that future versions of this library or any other library made available by RIAEvangelist will be secure.
One method of defending your applications against such supply chain attacks is to pin your dependencies to a trustworthy version.
The most important event in a woman’s life is her wedding, and she wants to dress and appear her best for this special day. The bride must dress in large, bulky sarees or lehengas for the mehndi ceremony reception, one of many traditions that precede and follow Indian wedding ceremonies. We all have busy lives, though, and it’s possible that we won’t have enough time to visit various stores and make the actual purchase of sarees. It makes perfect sense in this situation to purchase wedding sarees online.
One of any Indian woman’s most prized possessions is a Banarasi Saree. These sarees have received praise not just in India but also outside. Every girl would want to own and utilise something as soft, smooth, and uniquely Indian as Banaras. These stunning sarees are being woven by hundreds of weavers in the historic city of Varanasi.
The ancient craft of creating banarasi has truly been passed down from one generation to the next and is still thriving today. These sarees are considered to have become more popular during the Mughal era. In order to produce the distinctive pattern that now distinguishes Banarasi sarees, Persian and Indian designs were combined.
People from royal houses were the only ones who wore Banarasi Silk Saree Buy Online in the past. These were once worth several lakhs of rupees because they were constructed with genuine silver and gold strings. A saree could sometimes take a weaver a whole year to complete. But now that simple threads are being used, even the common man can buy it.
Many newlyweds wear a Banarasi silk saree on their special day because it meets the requirements of a wedding saree. The sarees are a favourite among upcoming brides because of their brilliant diversity and exceptional designs. The saree can be found in a wide range of colours, including orange, red, imperial blue, purple, blue, green, and others.
The patterns and designs of the Banarasi sarees have undergone a great deal of trial and error. Sarees with extraordinary designs that reflect elegance and grace are the end result. These sarees are a treat to wear because of their lovely and elaborate embroidery.
A Banarasi saree never quits trying to make a woman look good. It makes a fashion statement right away. This is one saree that has endured for many generations and has remained unaffected by changes in the fashion industry. Banarasi silk sarees are now sold all over the world. It is now simpler than ever to buy sarees from the comfort of your home thanks to the extensive selection available online. Buy one from one of the many stores and take pleasure in its rich splendour. To make sure you are receiving a good value for your money, check its validity before purchasing.
Today, January 19, 2021, Google released Chrome 88 to the Stable desktop channel, which contains security updates and the much awaited removal of Adobe Flash Player.
Chrome 89 is the newest Beta version, Chrome 88 has been moved to the Stable channel, and Chrome 90 will be the Canary version.
Users using desktop versions of Windows, Mac, and Linux can upgrade to Chrome 88 by selecting Settings -> Help -> About Google Chrome. When a new update becomes available, the browser will then check for it automatically and install it.
Removal of Flash Player from Chrome
On January 12th, 2021, Adobe Flash Player will no longer be supported, hence Google has totally removed Flash from the browser.
Organizations will no longer be able to use Enterprise policy to re-enable Flash Player in Google Chrome as a result of this change.
Since 2017, Google has been alerting consumers to the impending demise of Adobe Flash Player and recommending businesses to stop utilising it in their environments.
With this modification, Flash Player is no longer supported by the main platform for running Flash content.
FTP support was dropped
Due to its limited usage and lack of support for proxy or encrypted (FTPS) connections, Google decided to remove FTP support (ftp:/) from Chrome.
Because only “.1-.2%” of Chrome users actually utilise the FTP protocol, Google has been attempting to get rid of it since 2014.
With the introduction of a new “chrome:/flags/#enable-ftp” flag that determines whether or not FTP support is enabled, Google started deprecating FTP support with the release of Chrome 80.
In order to ensure that there would be no issues with accessing content on FTP sites during the epidemic, Google restored FTP support once more on April 9th, reversing the previous decision to disable it by default in Chrome 81.
“We will “undeprecate” FTP on the Chrome stable channel in light of the present problem. FTP, for instance, will resume operation “Asanka Herath, a Google software engineer, commented on a Chromium issue topic.
The browser no longer offers any FTP support as of the release of Chrome 88.
enhanced controls for the dark mode
Although Google Chrome has long supported operating system dark mode settings, not all of its controls have been converted to a dark mode style. Scroll bars and form controls are some of these controls.
With Chrome 88, the browser now uses a dark mode theme to display scroll bars and form controls.
increased protection against tabbing assaults
In order to prevent “tabnabbing” assaults, Chrome 88 will automatically apply the “noopener” context to links that open in new tabs when a user clicks on them. This attack technique is referred to as “tab-napping” by Google.
A security flaw called “tabbing” enables a freshly opened page to use javascript to send the user to a different URL from the one they were originally on. Any URL the threat actor chooses, such as phishing pages or pages that automatically download malicious files, might be used as the redirected URL.
HTML links can have a rel=”noopener” property added by web designers to stop a new tab from changing the referring page using JavaScript.
With the introduction of Google Chrome today, any links that open in a new tab will instantly have the rel=”nooopener” attribute applied to them.
New Tab search demonstration
The long-awaited capability of being able to search through all of your open tabs finally arrives in Chrome 88. When activated, a small down arrow will appear in a circle, and clicking it will launch a search dialogue.
Press Release
SPANISH DELIVERY APP GLOVO RAISES $121M FROM SWISS REAL ESTATE FIRM STONEWEG TO BUILD OUT DELIVERY-ONLY CONVENIENCE STORES FOR SUB-30 MINUTE DELIVERY TIMES (MACARENA MUNOZ MONTIJANO/BLOOMBERG)
Macarena Munoz Montijano / Bloomberg:
Spanish delivery app Glovo raises $121M from Swiss real estate firm Stoneweg to build out delivery-only convenience stores for sub-30 minute delivery times — – Stoneweg will build, refurbish property to help Glovo expand — Glovo’s orders for convenience items have surged 300%
-
Apps1 year agoWhy is Everyone Talking About Hindi Keyboards?
-
Social Media1 year agoWho is Rouba Saadeh?
-
Apps1 year agoThings you need to know about Marathi keyboard today
-
Apps1 year agoStuck with Your default Bangla keyboard? Isn’t it time for a change?
-
Social Media1 year agoMati Marroni Instagram Wiki (Model’s Age, Net Worth, Body Measurements, Marriage)
-
Games12 months agoTop 7 Popular Puzzle and Card Games for Relaxing Your Brain on Mobile, Featuring Solitaire
-
Entertainment1 year ago12 Online Streaming Sites that Serve as Best Alternatives to CouchTuner
-
Entertainment1 year agoMovierulz Website: Movierulzz 2021 Latest Movies on Movierulz.com