A protest via a developer against Russia’s invasion of Ukraine has turned into a supply chain attack in a popular JavaScript developer module.

Detailed Wednesday by researchers at Snyk Ltd., the bizarre tale starts on March 8 with developer Brandon Nozaki Miller, who wrote source code and published an “npm” software module called “peacenotwar.” The notes with the module claim that it serves as a nondestructive example of why controlling node modules is important and as a protest against Russia. The description also notes that users will receive a message of peace on their desktops.

On March 15, the module was then added as a dependency to the node-ipc module, a popular dependency that many JavaScript developers in the npm ecosystem rely on. There is where good intentions lead to unintended consequences. One of many JavaScript ecosystem projects that rely on node-ipc is the Vue.js command-line tool.

The peacenotwar code ended up in Vue.js CLI and herein starts the problem, since the code also has the ability to launch a destructive payload and overwrite all files of users installing the package. The original intent was for the code to overwrite files for users based in Russia and Belarus, but the code opens the door to a broader supply chain attack.

The risk this so-called “protestware” has introduced is serious, with Snyk giving the vulnerability a 9.8 score out of the 10-point common vulnerability scoring system, meaning it’s considered critical.

“This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,” the Snyk researchers explained. “While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security.”

The malicious code has been found in node-ipc versions 10.1.1 and 10.1.2, with the Snyk researchers encouraging users with the dependency chain to upgrade to version 10.1.3 or higher.

“Snyk stands with Ukraine and we’ve proactively acted to support the Ukrainian people during the on-going crisis,” the researchers concluded. “That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”

Image: NPM