CVE-2022-23812 tracks a software supply-chain compromise/protestware incident in the npm package node-ipc. In affected versions 10.1.1 and 10.1.2, malicious code was intentionally added to the package source. The injected logic performs an outbound HTTPS request to an IP geolocation service, parses the returned country_name value, and checks whether the host appears to be located in Russia or Belarus. If the check matches, the code recursively traverses directories and overwrites files with a heart emoji, causing destructive data corruption. The provided code shows the malicious logic using Node.js fs, path, and https modules, delayed execution via setTimeout, and recursive filesystem enumeration before calling writeFile to replace file contents. The content also notes that from 11.0.0 onward, node-ipc no longer embedded the destructive logic directly, but instead imported the peacenotwar package, which introduced separate potentially undesired behavior. This CVE is associated with the 2022 destructive node-ipc incident, not the distinct 2026 credential-theft campaign discussed in the supporting context.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A historical node-ipc supply chain poisoning incident from 2022 involving destructive behavior in malicious package versions 10.1.1 to 10.1.2. The article explicitly distinguishes it from the new 2026 credential-theft campaign.
A supply-chain sabotage vulnerability in the npm package node-ipc involving intentionally malicious/destructive behavior in certain versions, including file corruption/wiping and later protestware behavior via added dependencies.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.