Open-source software maintainer sabotages own code in anti-Russian protest

Computers for sale in Moscow, where residents seemed fatalistic about looming Western sanctions over Russia’s invasion of Ukraine – © AFP/File Charly TRIBALLEAU

An item of open-source software has been sabotaged and designed to wipe data on computers.  What is of interest with this case is that the saboteur was the inventor of the code. In the case the developer, who is Russian, seems to have carried out the cyber-vandalism as an act against his own country due to the Ukraine conflict. However, the ramifications spread beyond national borders.

The open-source software package maintainer appears to have deliberately sabotaged the node-ipc package, which is part of the npm java package manager for the JavaScript programming language.

The case demonstrates the dangers inherent in many forms of Free Open Source Software and this demonstrates why businesses need to be careful as to the types of software they opt for.

Looking into this unusual case for Digital Journal is Sally Vincent, Senior Threat Research Engineer at LogRhythm.

According to Vincent there are lessons to be learnt from this case: “The inclusion of “protestware” in the open-source node-ipc module serves as reminder to all organizations that use of open-source software comes with security risks.”

Vincent advises that the following factors are always in play:

• Organizations should have governance policies around the use of open-source software and monitoring policies for updates from open-source repositories.
• Developers need to be aware of the security risks that come from using open-source repositories in their projects.
• Any projects that use open-source repositories should always check their source(s) to make sure malicious code is not buried within.

Vincent also warns that the potential for repeating this event is quite easy, noting: “This incident shows how easily malicious code can be introduced to an open-source project.”

This is irrespective as to the motivations for doing so, as Vincent points out: “It’s notable for the fact that the person who introduced it claims that it is part of a peaceful protest.”

She adds: “Regardless of intent, the code is a potentially very harmful. Any projects that use node-ipc should be immediately checked to make sure they not on a malicious source code thread.”

In terms of future activities, Vincent spells these out: “Node-ipc is a popular opensource nodejs module for local and remote Inter Process Communication. Multiple Opensource Java frameworks require node-ipc as a dependency.” Technology supply chains appear to be a particularly vulnerable area.

Furthermore, Vincent says: “The maintainer of node-ipc purposefully sabotaged their own repository to include a piece of malware called “peacenotwar” that overwrites files with a heart emoji when detects the user is in Russia or Belarus. The maintainer or node-ipc, RIAEvangelist, denies that files are destroyed by peacenotwar.”