Dev Sabotages Popular NPM Package to Protest Russian Invasion

In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.

The developer behind the hugely popular npm package “node-ipc” has released sabotaged versions of the library to condemn Russia’s invasion of Ukraine: a supply-chain tinkering that he’d prefer to call “protestware” as opposed to “malware.”

Regardless of the peace-not-war messaging, node-ipc is now being tracked as a malicious package: one with malicious code that targets users with IP addresses located in Russia or Belarus that overwrites their files with a heart emoji.

It started on March 8, when npm maintainer Brandon Nozaki Miller (aka RIAEvangelist) wrote source code and published an npm package called peacenotwar and oneday-test on both npm and GitHub.

Infosec Insiders Newsletter

The peacenotwar module adds a message of peace to users’ desktops. It only does it once, “just to be polite,” according to Miller’s module description:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.

The peacenotwar message that gets added to desktops is accompanied by a music video of a song used in the March 15 One Day – Benefit for Ukraine. The message:

War is not the answer, no matter how bad it is. Please stand up against this injustice and stand up against evil. Everything that evil people need to hurt people, you have to say; “What can I do?” You are one person. It’s powerful. When one person is standing next to another and they are standing next to another, you soon have movement. Here’s how little people can come together for more than one person. Do what you think is right, follow your own morals.

Up until Tuesday, the module “had virtually no downloads at all,” according to a Wednesday alert and deep technical dive of the incidents posted by developer-security platform Synk. It didn’t stay that way, though, wrote Synk director of developer advocacy Liran Tal.

It changed when RIAEvangelist added the module as a dependency to node-ipc: a popular dependency that many JavaScript developers in the ecosystem rely upon, Tal explained – including the popular Vue.js frontend JavaScript framework, aka npm package @vue/cli.

Synk illustrated the nested dependency tree, shown below, which illustrates “how node-ipc trickles into the Vue.js CLI npm package and further promotes the need to vet nested dependencies as a holistic risk.”

Nested dependency tree showing the relation between node-ipc and the Vue.js CLI npm package. Source: Synk.

As of today, Thursday, the node-ipc library, used by millions weekly, was being downloaded 1,114,524 times per week.

npm Supply-Chain Attack

On Tuesday, March 15, Vue.js users started experiencing what Thal said “can only be described as a supply chain attack impacting the npm ecosystem” – the result of the nested dependencies node-ipc and peacenotwar “being sabotaged as an act of protest by the maintainer of the node-ipc package.”

Regardless of the pro-peace messaging, the security incident “involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms,” Tal asserted.

“While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security,” he added.

In the wake of the SolarWinds software supply attack of 2020, President Biden issued an executive order advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter this kind of far-ranging attack.

Besides SolarWinds, the software supply-chain attack problem more recently was underscored by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it recently came time for end-of-year coverage.

Peacenotwar: A Non-Peaceful 9.8 Criticality Rating

As far as the peacenotwar supply chain attack goes, Snyk is tracking the security incidents as CVE-2022-23812 for node-ipc – a vulnerability that, as yet, hasn’t been analyzed by NIST’s National Vulnerability Database (NVD) but which Synk rates with a critical score of 9.8, given that it’s easy to exploit.

Synk is tracking the incidents with the peacenotwar and oneday-test npm modules as SNYK-JS-PEACENOTWAR-2426724, with a low criticality rating of 3.7, given that attack complexity is high.

The advice for how to fix the vulnerabilities: Stay the &^%$ away.

“Avoid using peacenotwar altogether,” Synk advised.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles

Discussion

  • a on

    What an awful thing to do. if you are not for Russian politics, what does Russian people and Russian kids have to do with that?
  • LoL on

    How to Loss User 101
  • lanmower on

    If you like ipc stuff check out hyper-ipc, its very good Oh yeah, and if you got hit for using vue.js, might as well use this chance to check out riot.js, in my humble opinion its better because its nearly transparent :)
  • Ralph on

    Thank for this now I know why dont use npm in my software, I dont want msg popping up in my software every time something happen in the world
  • Michael on

    This is why I have issues with things like NPM or nexus, you are giving up control of security to an unknown 3rd party. Also why I don't like auto package management in things like ubuntu and redhat, do you have control on the version they are sending you. That one reason I stick to Slackware and just getting the source code (MD5 it) I can control what version I get. True there is still a trust area, but I not always getting the "latest" and "greatest" that might have malware put in for some political reason.
  • ben on

    The absolute gall of that developer to claim that this stunt was "pro-peace". No, RIAEvangelist, you did *not* protest against war, you gleefully *participated* in a war. And the attack you chose to carry out, was one that can be expected to have approximately *zero* effect on slowing down the Russian military - instead, its harm is squarely targeted at innocent civilians. Vile.
  • Anonymous on

    Initially, the author updated the node-ipc package itself with destructive code. He later removed the code with a force push to the repo, trying to hide what he did, and then created the peacenotwar package which added a file to the desktop. When users pointed it out via GitHub issues, he edited the issues to cover up what he did even further. More information can be found [on GitHub, posted by MidSpike. External link removed.]
  • Serg on

    Amazing, tens of thousands of Belarusian citizens protested against Government year ago. Thousands were imprisoned and tortured. Hundreds was hardly wounded. Many were killed! Because of support of Russian government - Belarusian government hold the power.Now if Belarusian developer leave country and his/her parents stays in Belarusian they can get in trouble, thats why many developers who do not support government - stays at Belorussia. So they cannot leave Belarus. And now western developers shows their ability to fight with victims! Niiiice! They are amazing!
  • Serg on

    Amazing, tens of thousands of Belarussian citizens protested against Goverment year ago. Thousands were imprisoned and tortured. Hundreds was hardly wounded. Many were killed! Because of support of Russian government - Belarussian government hold the power.Now if Belarussian developer leave counrty and his/her parents stays in Belarussian they can get in trouble, thats why many developers who do not support government - stays at Belarussia. So they cannot leave Belarus. And now western developers shows their ability to fight with victims! Niiiice! They are amazing! Btw In Russia you can be sentenced for 15 year in jail if you protest or you create some content against War.
  • GigaTron on

    Garbage Developer. This is not a 'protest' this isn't even hacktivism. This is downright targetting ALL Russian-based IP addresses and maliciously deleting all the files that the user has. They are exploiting a framework that many trust and use to push their b.s. exploit through to infect as many as possible. Then they want to use Ukraine as an excuse for their ILLEGAL software-dependency push! Everyone should block-list and flame this developer. I now do not trust npm packages because idiots like this. Someone taking a political stand and participating in war as a civilian with their target being ANY Russian IP is beyond ridicolous. Ban this idiot and take his little 'protest' exploit with him. Just because tech companies are all following each other due to this event doesn't mean that developers can take it upon themselves to act like some wannabe guardians because a war conflict, which is much more complicated than whats been broadcasted on the media, and start performing malicious acts unde the guise of protest. Thanks for getting innocent people, children, teens, mothers, and everyone else involved in your gimmick. You could have simply shown up in protest marches or donate like anyone else. Instead you chose to infect people with your garbage npm package then hide on the internet as if there are no consequences for these actions. Please send this person to prison. Some of us are getting tired of seeing Ukraine flags spilt everywhere just so idiots like this can use it an excuse to commit crimes.
  • Sergey on

    I suppose the problem with malware in open source is deeper and more general than it appears at first. The FS community grown large so despite of the automatic filtering of only decent people being ready to set afar own ego for public profit, some malicious individuals seep through, just like this a well recognized now malware and supply chain attacks enthusiast Brandon Nozaki Miller. These criminal minded persons are normally forced to follow rules of the community, while just waiting for a chance to commit crime with more or less impunity (destroying files on other's computer is a crime in the country he lives in, for sure). when it, supposedly won't cause grave consequences for the author. There should be adequate ways of isolating such criminals from the free software society, otherwise our public repositories will soon be completely compromised by various felons whatever camouflage they use. So I personally propose major package managers to start to track physical identities of the popular authors and signing the work with their private keys (face recognition might be just enough of ID for starters) and mark any works and derivatives of non-identified persons or recognized malware authors like Brandon mentioned above. We need a sort of free KYC-like public key registry, actually without other personal data, for FS developers and support for it in major package managers. We don't need to get personal information on authors, but just to prevent banned criminals to create new accounts. Simple procedure to forever exclude malware enthusiasts from FS mainstream will definitely help. Actually I can try to implement such a service, but without a good will from package registry holders its just waste of time... Moreover, such key registry can improve package publishing procedure as using a checked registered public key to submit packages will allow automated processes wihtout ugly 2FA procedures.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.