Application security, Supply chain

What happens when ‘protestware’ sabotages open source in response to current events?

A committee of Ukrainian leaders, rabbis and other religious figures participate in a protest in front of the U.S. Mission to the United Nations on March 16, 2022, in New York City. (Photo by Spencer Platt/Getty Images)

New software supply chain concerns emerged in the open-source community when a popular Javascript library began to delete all files on systems in Belarus and Russia as a protest to the war in Ukraine.

Node-ipc, a npm library that is a dependency of the extremely popular frontend Javascript framework Vue.js , was updated last week to include malicious code that overwrote files on systems with Belarusian or Russian IPs. The maintainer of Node-ipc, RIAEvangelist, soon rolled back the code to merely dropped a file titled "WITH-LOVE-FROM-AMERICA.txt" containing a message calling for peace.

"This behavior is beyond f****d up. Sure, war is bad, but that doesn't make this behavior (e.g. deleting all files for Russia/Belarus users and creating strange file in desktop folder) justified. F**k you, go to hell. You've just successfully ruined the open-source community. You happy now @RIAEvangelist?," wrote one commenter to the Nopde-ipc Github.

RIAEvangelist denied there being a destructive payload; however, the payload was well documented by the Github community and Snyk.

As RIAEvangelist updated Node-ipc, he updated the version numbers as well, triggering automatic updating of code for many downstream users.

"They obviously wanted to get out a message in a time where we're having a lot of crises around the world, there is understandable pain. I can understand that. I would also like to say this is not the best way of doing it," Liran Tal, director of developer advocacy at Snyk, told SC Media.

Tal wrote Snyk's blog post, which includes in no uncertain terms its stance on the war: "Snyk stands with Ukraine." The problem, he said, is that destructive software — even "protestware," a term some coined for Node-ipc — risks damaging collateral systems and the open-source community on the whole.

"The blast radius here was big," he said.

Many developers view open-source software as a monolith, a single community rather than a bunch of individual projects. Even among popular projects, those can run the gamut of big organizations with boards of directors and many contributors to, as XKCD famously put it, "a project some random person in Nebraska has thanklessly been maintaining since 2003."

Node-ipc is the second major instance of an open-source project maintained by a single individual being sabotaged as a form of activism in the past year, following a long period of no activism whatsoever. Colors.js and Faker.js, both maintained by the same person, added an infinite loop to the code in January to protest large firms using open-source software without financial contributions. In that case, however, the protest was tied to the medium — it was code protesting for coders, rather than a third party.

The lesson may be to include projects run by individuals, or projects with dependencies on projects run by individuals, as its own risk in a threat model.

"You have to trust the people that you're getting the components from. And I think the moral of the story comes back to a hygiene one. When you're choosing what projects to use, you should be choosing ones from places that are backed by foundations," said Brian Fox, chief technology officer of the software supply chain firm Sonatype.

An organization like Apache, where a decision as radical as adding malicious code would require a vote, would be less likely to make such a move, said Fox.

But the point, he said, should not be that activism alone is the problem. Instead, this all plays into a bigger issue, that enterprises remain unprepared for software supply chain risks, even after a year showing how many different forms that come in. Fox noted live Sonatype statistics, showing that 40% of downloads of Log4j as he spoke to SC Media were for dangerously out of date versions of the popular Java package.

"If we can't handle Log4j after three months, how can we handle a thing that happened last night," he said.

Whether deserving or not, the damage done to the credibility of open-source will likely not be limited to projects maintained by single individuals. (Commercial vendors cell phones "are probably going crazy now," said Adam Meyers, senior vice president of intelligence at Crowdstrike, as enterprises look for a more professionally run alternative).

For open source in general, it has not "been a good look," he said, even while most people in the open-source community view it as "wildly irresponsible."

"There was no discretion for what kind of users there were in Russia or Belarus," he said. "It could have been, you know, critical infrastructure, critical care. Extremely poor judgment."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.