Creator of open-source software sabotages his own work over money


Everywhere in China, scanning a “green” health code application is essential to enter stores, offices and public transport – Copyright AFP Fabrice COFFRINI

A technologist working and responsible for a popular open source software deliberately sabotaged his own code, apparently as a protest for not receiving financial rewards from companies for his work. This was done to erase data on computers that used the program in Russia and Belarus.

The two faced backlash for doing so, according to the posts. published on Github coding repository.

Leaning into the controversy for Digital diary is Mark Waggoner, principal engineer at LogRhythm.

Wagoner states: “The recent revelation of an open source software package maintainer deliberately sabotaging the node-ipc package, which is part of the npm java package manager for the JavaScript programming language, has once again highlighted the inherent dangers to free open source. Software Supply Chain (FOSS).

He adds: “While we have seen several recent examples of malicious actors inserting their own code into software supply chains, such as NotPetya in 2017, SolarWinds in 2020 and Microsoft Exchange Server in 2021, this appears to be if not the first instance of a manager. deliberately sabotaging their own project, at least the most egregious in recent memory.

As for the consequences, Wagoner observes: “This action adds a new potential threat actor to our risk assessments of using FOSS or FOSS-derived software.”

And as to what the actual activity means, it is explained by Wagoner as follows: “This scenario is very revealing and frankly frightening. Even organizations that follow the best practice guidelines published by NIST and CISA would have no way of identifying this type of sabotage before it is active in their environment.

Expanding on the details of the incident, Wagoner says, “Since this package was modified by the maintainer and then uploaded to the package manager through fully valid workflows, it will have all the correct hashes and signatures that security professionals would check.”

Wagoner also finds, “In addition to this, it appears that the maintainer also went out of their way to obfuscate their additions to the code base by using base64 encoding to make it even harder to identify by automated means or human reading of the code. .”

With wider implications, Wagoner points out: “Today, with nearly all software relying at least to some degree on FOSS products, this action dramatically increases the risk to any software publisher, developer or even end user of these products. Unfortunately, even things like “software manifests” and other mitigations, as noted in US National Institutes of Science and Technology (NIST) 800-171 or the recent US Department of Homeland Security (DHS) report supply chain risk assessment would have no impact on stopping this particular type of sabotage. However, having these risk awareness and mitigation policies in place should lead to faster correction once discovered.


Comments are closed.