A maintainer who sabotaged a popular NPM package in protest at Russia’s invasion of Ukraine has been criticised for undermining trust in the open source ecosystem.
‘RIAEvangelist’ (aka Brandon Nozaki Miller) embedded malware – or ‘protestware’, as he dubbed it – into Node.JS module node-ipc’s latest stable release.
If developers download the poisoned package and are geo-located in either Russia or Belarus, the malware wipes file contents and replaces them with a heart emoji. It also adds a WITH-LOVE-FROM-AMERICA.txt file containing a peace message onto the user’s desktop directory.
Vue.js CLI has been cleaned up in versions 4.5.16+ and 5.0.3+.
In a blog post, Liran Tal, director of developer advocacy at developer security-focused platform Snyk, emphasized that “Snyk stands with Ukraine”, but questioned the wisdom of RIAEvangelist’s chosen form of protest.
“How does that reflect on the maintainer’s future reputation and stake in the developer community?” Tal said. “Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?”
Several developers also criticised the package sabotage on a related GitHub thread, in which RIAEvangelist responded that “you are free to lock your dependency to a version that does not include this”. They added that it “should serve as a safe example of why we teams should use explicit dependency versions. So it is always our choice to upgrade or not”.
RIAEvangelist maintains more than 40 NPM packages in total, together accounting for several million weekly downloads.
Tracking the timeline
RIAEvangelist published peacenotwar on March 8 with the source-code description:
“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.”
Peacenotwar began accruing downloads when the module became a dependency to node-ipc, an inter-process communication module that is downloaded more than one million times a week.
This happened with node-ipcversion 10.1.1, released on March 7, as well as 10.1.2, launched shortly after with the possible purpose, Tal speculated, of triggering automated dependency upgrades.
Then on March 8, the maintainer remedied the vulnerability they had introduced with the release of version 10.1.3.
However, less than four hours later, another vulnerable version, 11.0.0, appeared that, “instead of having malicious code directly in the source of this package […] imports the peacenotwar package”.
The impact was ramped up a week later, on March 15, when 9.2.2, an update to the module’s stable 9.x branch, landed with peacenotwar bundled. It also featured ‘colors’, another NPM package sabotaged by its maintainer for a purported protest-related motive in January 2022.
Synk recommends that developers avoid the node-ipc package altogether, and if it is already bundled with their project to override the sabotaged versions.
“Gaining skills in how to manage software dependencies at scale is becoming evidently more important, as well as ensuring that you as a developer are following npm security best practices, and learning about security pitfalls and incidents such as why npm lockfiles can be a security blindspot for injecting malicious modules.”
YOU MIGHT ALSO LIKE OpenSSL drops update addressing DoS issue in ubiquitous encryption library