Open source dev sabotages own library to target Russian and Belarusian users

Initial versions of 'protestware' module added to npm-ipc wiped data on users' devices

Brandon Nozaki Miller, maintainer of the popular library npm-ipc, has updated the package with new code that specifically targets users in Russia and Belarus, in protest of Russia's invasion of Ukraine and Belarus's participation in the war on the Russian side.

The npm-ipc module enables remote inter-process communication and is used by many prominent packages, including JavaScript front-end framework Vue.js. It is downloaded more than a million times per week.

The package's home page on npm states "as of v11 this module uses the peacenotwar module," with a link to a page on GitHub in which Miller, who goes by the alias RIAEvangelist, states: "This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite."

This 'protestware', as RIAEvangelist calls it, was first incorporated into versions 10.1.1 and 10.1.2 of the node-ipc library on March 8th, with early versions designed to wipe arbitrary data on the devices of users in Russia and Belarus, who were targeted using their external IP address.

However, a few hours later, RIAEvangelist had a change of heart and updated the module. From node-ipc version 11 onwards the destructive element of the code was removed, and peacenotwar now downloads a file containing information about the war to the user's device.

The previous malicious versions are tracked as CVE-2022-23812 and rated 9.8 out of 10 on the CVSS vulnerability scoring system.

The fact that an individual could easily install destructive malware into a popular library has caused concern among users and producers of open source software. Open source applications are commonly built from dozens of third-party libraries and modules, which can make tracking errant versions a challenge. While there are plenty of tools to do just that, they fear that incidents like this damage the reputation of open source.

Researchers at security firm Snyk flagged the 'protestware' as a supply chain incident.

"At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches a geo-location of either Russia or Belarus," said Liran Tal, director of developer advocacy in a blog post, who pointed out that the developer made attempts to obfuscate his changes.

"Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer's future reputation and stake in the developer community?"

This is not the first time a maintainer of an open source project has deliberately corrupted their own projects.

In January, two npm libraries Colors and Faker were deliberately sabotaged on GitHub and npm by maintainer Marak Squires, with updates that triggered infinite loops, causing thousands of projects to cease to function.

In that case, Squires was apparently seeking to highlight the fact that large corporations often use the results of developers labours, without, as he saw it, putting enough back.

"Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work, he said in 2020. "Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it."

The colors library, which is downloaded 20 million times every week, has also been the victim of 'typosquatters' recently, according to code security firm Sonatype, with malicious variants spotted in repositories, named to appear like updates to the original library, including colors2.0, colors-2.2.0 and colors-3.0.

"To a casual observer, colors-2.0, colors-3.0, and other few may appear to be 'newer' versions of the 'colors' library when that's far from the case. These packages are tactfully named in a manner that may confuse a novice developer into mistaking them for the latest versions of official 'colors'", wrote security researcher Ax Sharma in a blog.

Also in January, Christofer Dutz, creator and lead developer of the free Apache PLC4X industrial automation library suite, announced his intent to stop providing free community support for PLC4X if corporate users did not start paying.

"The industry seems to like using PLC4X and open-source in general, but doesn't seem to be willing to support the people working on it. So, I will stop providing free community support for PLC4X," he said.