node-ipc @12.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3744
Ecosystem
npm
Summary
node-ipc version 9.2.3 contains a heavily obfuscated module (node-ipc.cjs with hex-mangled identifiers such as _0xaed59b, _0x282d65, _0x4524e4, _0x41d0c3) introduced by the maintainer as protestware. The obfuscated code, loaded on module import, performs geolocation lookups against installer-side IP data and, for hosts resolving to certain regions, overwrites and/or creates files on the installer's filesystem (historically writing 'peace' messages to the user's Desktop and, in related releases from the same maintainer, recursively overwriting files with a heart character). The payload fires whenever this package is loaded as a dependency — including transitively via popular downstream packages — without any consent from the installer. This is destructive, geolocation-gated sabotage executed on the installer's machine at module load time.
Source: amazon-inspector (510f4689fde6aaa371d3326fe3cb2f9cf33c0821c38d0166359e870c5c836b8d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.