Targeted attack by ‘Protestware’ on Russia, Belarusian computers draw criticism from open source community

Maintainer of widely used networking software node-ipc sparked backlash from the open source community earlier this month after malicious code targeting users in Russia and Belarus that overwrites local files with anti-war messages has been added to the app.

Software maintainer Brandon Nozaki Miller, known online as RAEvangelist, created the additional code two weeks ago as part of a new release of the software’s code library. Described as “protestware”, the additional code included a function that analyzed the IP address of anyone who downloaded the app. If the IP address was recognized as coming from Russia or Belarus, the malicious code erased the files on the device used and replaced them with heart-shaped emojis.

According to beeping computer, Miller originally released the code, titled “peacenotwar,” independent of node-ipc, but it was later included as a dependency in the popular app’s code. This decision essentially forced parts of the million users who download node-ipc every week to download “peacenotwar” without their knowledge. Even though users would visually inspect the code for malicious content, Miller disguised it to make detection more difficult.

Security company Snyk released a report on Wednesday’s incident, calling the “peacenotwar” implementation a “very clear abuse” and questioning Miller’s future involvement in keeping apps open source. “While RIAEvangelist’s deliberate and dangerous act will be seen by some as a legitimate act of protest, how does this impact the maintainer’s future reputation and stake in the developer community,” Liran wrote. Tai, researcher at Snyk. The report notes that Miller currently maintains more than 40 similar code libraries that constitute “hundreds of millions of downloads.”

In an email to Motherboard, Miller denied that the code had the ability to overwrite files on computers. “It just puts a file on the desktop,” he wrote. miller official description from “peacenotwar” says it’s a “non-destructive example of the importance of controlling your node pods” and “a non-violent protest against Russia’s aggression that threatens the world right now.”

The revelation sparked a wave of angry reactions on GitHub Community Forums claiming that Miller’s actions threaten to undermine the very concept of open source development. “Is making a statement about Putin and the Russian oligarchs attacking what are probably the average Russian/Belarusian (sic) people really worth attacking the integrity of an open source project and FOSS in general?” a user wrote.

“What if a Russian decides to do the same thing as RIA Evangelist here? They could go further and claim this as “revenge” for an unprovoked attack on them. What if someone targeted Ukrainian IPs for something your government did,” another user added.

Tai echoed those concerns. “Snyk stands with Ukraine and we have acted proactively to support the Ukrainian people during the current crisis with donations and free services to developers around the world, as well as measures to cease activities in Russia and in Belarus,” Tai wrote. “That said, intentional abuse like this undermines the global open source community.” According to Ars Technica, the malicious code has since been removed, but Snyk’s report recommended users stop using node-ipc altogether.

Comments are closed.