Open-source software maintainer sabotages own code during anti-Russian protest


Computers for sale in Moscow, where residents seemed fatalistic in the face of impending Western sanctions following the Russian invasion of Ukraine – © AFP/File Charly TRIBALLEAU

A piece of open-source software was sabotaged and designed to erase data on computers. What’s interesting about this case is that the saboteur was the inventor of the code. In case the developer, who is Russian, appears to have committed cyber vandalism as an act against his own country due to the conflict in Ukraine. However, the ramifications have extended beyond national borders.

The open-source software package maintainer seems to have deliberately sabotaged the node-ipc package, which is part of the npm java package manager for the JavaScript programming language.

The case demonstrates the dangers inherent in many forms of free, open-source software, and it shows why companies need to be careful about the types of software they choose.

Looking at this unusual case for Digital diary is Sally Vincent, Principal Threat Research Engineer at LogRhythm.

According to Vincent, there are lessons to be learned from this affair: “The inclusion of ‘protestware’ in the node-ipc open-source module reminds all organizations that the use of open-source software carries security risks. .”

Vincent points out that the following factors are still at play:

  • Organizations should have governance policies regarding the use of open source software and policies for monitoring updates from open source repositories.
  • Developers should be aware of the security risks of using open source repositories in their projects.
  • All projects that use open source repositories should always check their source(s) to ensure that no malicious code is buried there.

Vincent also warns that the potential for a repeat of this event is quite easy, noting, “This incident shows how easily malicious code can be introduced into an open source project.”

And this, whatever the motivations for doing so, as Vincent points out: “It is remarkable for the fact that the person who introduced it claims that it is a peaceful demonstration.

She adds: “Regardless of intent, the code is potentially very harmful. All projects that use node-ipc should be checked immediately to make sure they are not on a malicious source code thread.

In terms of future activities, Vincent spells them out: “Node-ipc is a popular open source nodejs module for local and remote inter-process communication. Several Opensource Java frameworks require node-ipc as a dependency. Technology supply chains seem to be a particularly vulnerable area.

Additionally, Vincent states, “The node-ipc maintainer deliberately sabotaged their own repository to include malware called ‘peacenotwar’ which overwrites files with a heart emoji when it detects the user is in Russia or Russia. Belarus. The maintainer or node-ipc, RIAevangelist, denies that the files are destroyed by peacenotwar.


Comments are closed.