peacenotwar is a piece ofmalware, which has been characterized asprotestware,^[1] created byBrandon Nozaki Miller. In March 2022, it was added as a dependency in an update fornode-ipc, a commonJavaScript dependency.

Between 7 March and 8 March 2022,Brandon Nozaki Miller, the maintainer of thenode-ipc package on thenpm package registry, released two updates allegedly containing malicious code targeting systems in Russia and Belarus (CVE-2022-23812). This code recursively overwrites all files on the user's system drive with heart emojis.^{[2][3][4][5][6][7][8][9][excessive citations]} A week later, Miller added the peacenotwar module as a dependency tonode-ipc.^[10] The function of peacenotwar was to create a text file titledWITH-LOVE-FROM-AMERICA.txt on the desktop of affected machines, containing a message in protest of theRusso-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in aDenial of Service (DoS) to any server using it.^[11][12]

Becausenode-ipc was a common software dependency, it compromised several other projects which relied upon it.^[13]

Among the affected projects wasVue.js, which requirednode-ipc as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.^[14][15]

• npm left-pad incident
• Supply chain attack
• Hacktivism
• Reactions to the 2022 Russian invasion of Ukraine
• Anti-Russian sentiment

• Internet-based activism
• 2022 in computing
• Reactions to the Russian invasion of Ukraine
• Malware

• Articles with short description
• Short description is different from Wikidata
• Use dmy dates from March 2022
• Citation overkill
• Articles tagged with the inline citation overkill template from October 2025