The developer of a popular open-source tool added pro-Ukraine “protestware” to the software, prominent cybersecurity journalist Brian Krebs reported on Thursday.
Cybersecurity startup Snyk Ltd. provided a technical analysis of the incident in a blog post. The incident began on March 7 when the developer of node-ipc, the GitHub user RIAEvangelist, uploaded a new release of the tool referred to as version 10.1.1.
According to Snyk, version 10.1.1 of node-ipc included a snippet of code designed to activate if the tool is downloaded onto a computer located in Russia or Belarus. The code finds files on the user’s computer and overwrites them with a heart emoji, Snyk detailed.
Four hours after version 10.1.1 of node-ipc was released with the data wiping code, RIAEvangelist uploaded a newer version of the tool with practically identical contents. Five hours after that, RIAEvangelist released a third update that “seems to have removed all indications of the aforementioned destructive payload,” Snyk detailed.
Overall, the data wiping code was part of node-ipc for less than a day, according to Snyk.
On March 8, the day after the data wiping code was added and then removed, yet another update rolled out to node-ipc. This update contained a module called peacenotwar that included the description “this code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.”
Another significant development occurred this past Tuesday. That day, RIAEvangelist added the peacenotwar module originally rolled out on March 8 to a different version of node-ipc known as node-ipc 9.2.2.
The 9.2.2 version of node-ipc is notable because it’s used by many other open-source projects, including the popular Vue.js framework for creating application interfaces. Consequently, the peacenotwar module was added to Vue.js.
Open-source software security is becoming a bigger focus for the tech industry. Last month, an industry group backed by Microsoft Corp., Google LLC, Intel Corp. and other major tech firms launched an open-source security initiative called the Alpha-Omega Project. The initiative aims to fix vulnerabilities in open-source projects and encourage broader adoption of cybersecurity best practices.