UPDATED 15:20 EDT / MARCH 18 2022

SECURITY

Open-source developer adds pro-Ukraine ‘protestware’ to JavaScript tool

The developer of a popular open-source tool added pro-Ukraine “protestware” to the software, prominent cybersecurity journalist Brian Krebs reported on Thursday.

The open-source tool in question is known as node-ipc. It’s written in the JavaScript programming language and is used for networking tasks.

Cybersecurity startup Snyk Ltd. provided a technical analysis of the incident in a blog post. The incident began on March 7 when the developer of node-ipc, the GitHub user RIAEvangelist, uploaded a new release of the tool referred to as version 10.1.1.

According to Snyk, version 10.1.1 of node-ipc included a snippet of code designed to activate if the tool is downloaded onto a computer located in Russia or Belarus. The code finds files on the user’s computer and overwrites them with a heart emoji, Snyk detailed.

Four hours after version 10.1.1 of node-ipc was released with the data wiping code, RIAEvangelist uploaded a newer version of the tool with practically identical contents. Five hours after that, RIAEvangelist released a third update that “seems to have removed all indications of the aforementioned destructive payload,” Snyk detailed.

Overall, the data wiping code was part of node-ipc for less than a day, according to Snyk. 

On March 8, the day after the data wiping code was added and then removed, yet another update rolled out to node-ipc. This update contained a module called peacenotwar that included the description “this code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.”

Another significant development occurred this past Tuesday. That day, RIAEvangelist added the peacenotwar module originally rolled out on March 8 to a different version of node-ipc known as node-ipc 9.2.2. 

The 9.2.2 version of node-ipc is notable because it’s used by many other open-source projects, including the popular Vue.js framework for creating application interfaces. Consequently, the peacenotwar module was added to Vue.js.

Open-source software security is becoming a bigger focus for the tech industry. Last month, an industry group backed by Microsoft Corp., Google LLC, Intel Corp. and other major tech firms launched an open-source security initiative called the Alpha-Omega Project. The initiative aims to fix vulnerabilities in open-source projects and encourage broader adoption of cybersecurity best practices.

Image: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU