node-ipc protestware (npm, 2022)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags manifest pins of node-ipc 10.1.1 through 10.1.3, the releases that shipped intentional geo-targeted file-deletion/protest code (CVE-2022-23812).
Why it matters
node-ipc 10.1.1 and 10.1.2 contain code that checks the installing machine's IP-derived geolocation and, if it looks Russian or Belarusian, overwrites files on disk with a heart emoji -- a deliberate protest payload with no opt-out. Version 10.1.3 replaced the destructive code with a non-malicious 'peacenotwar' dependency, but by then the trust damage was done and all three versions are considered unsafe to install unreviewed (CVE-2022-23812). node-ipc is a transitive dependency of some popular CLI tools, so this could land in a build without anyone choosing it directly. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Pin node-ipc to a version outside 10.1.1-10.1.3 (either an earlier release or a current one well past the incident) and reinstall. If node-ipc is only transitive, update the parent dependency that pulls it in, or use your package manager's override/resolutions field to force a safe version.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo