peacenotwar is a piece of malware, which has been characterized as protestware, created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for <code>node-ipc</code>, a common JavaScript dependency.
Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the <code>node-ipc</code> package on the npm package registry, released two updates allegedly containing malicious code targeting systems in Russia and Belarus (). This code recursively overwrites all files on the user's system drive with heart emojis. A week later, Miller added the peacenotwar module as a dependency to <code>node-ipc</code>. The function of peacenotwar was to create a text file titled <code>WITH-LOVE-FROM-AMERICA.txt</code> on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in a Denial of Service (DoS) to any server using it.
Because <code>node-ipc</code> was a common software dependency, it compromised several other projects which relied upon it.
Among the affected projects was Vue.js, which required <code>node-ipc</code> as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.