IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source dev attacked for spreading data-wiping 'protestware'

Developer denies wiping users' drives in spite of detailed code analysis

A red warning sign on a screen with the word malware displayed under an exclamation mark

A developer has been fighting a public backlash after being accused of trying to indiscriminately spread malware to Russian IPs through a popular open source package.

The developer, Brandon Nozaki-Miller, has denied allegations that his code wiped the hard drives of users in Russia and Belarus, in spite of a detailed code analysis online by third-party experts.

Miller maintains 'node-ipc', a legitimate interprocess communication module for Linux, Mac, and Windows systems. According to GitHub, almost 761,000 people use the package.

Following an analysis of the code on March 7 of this year, software security company Snyk concluded node-ipc had been updated with a malicious package, adding that the software was targeting any user with an IP address from Russia or Belarus, overwriting their files with a heart emoji in the process.

Following the update, users began reporting that the code was wiping their systems. One school student claimed that node-ipc had erased their hard drive after they tried to use it for a school project, and another unconfirmed report from someone claiming to work for an American NGO in Belarus said that the code had wiped thousands of messages documenting human rights abuses from servers located there.

Snyk said that ipc-node was properly maintained long before this incident, but that the malicious code was introduced in ipc-node from version 10.1.1 until 10.1.3. It assigned the vulnerability an ID - CVE-2022-23812 with a 9.8 (critical) CVSS score.

The ipc-node tool was used in packages including Vue.js's command line tool, Snyk said.

The company said that the vulnerable versions of the ipc-node package were then removed from the npm registry on March 8. Nevertheless, the code updates had affected some users, it added.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

Nozaki-Miller is said to have then subsequently added another package called 'peacenotwar' as a dependency for ipc-node on the same day. This package purportedly displayed a peaceful message on peoples' desktops protesting the war in Ukraine, something  Miller has called 'protestware'. This was an effort to try and hide the previous attempt to spread malware, according to Snyk.

The message, contained in 'WITH-LOVE-FROM-AMERICA.txt', said "War is not the answer" and asked people to forgive soldiers fighting the war under orders from their government. One version of the code also created files on users' systems documenting the current war situation in Ukraine.

Open source users mounted a significant backlash against Miller, leaving a string of issues on the project's GitHub page protesting his actions. The issues have now been deleted.

Miller told IT Pro that he had been swatted, which is an attack where someone finds a victim's address and alerts police to a fake emergency there. He also denied that the code was malicious.

"As far as I am aware, no actual computers were harmed unless by people trying to make it look like my code did something it did not," he said. "The only actual thing which happened was as documented and licensed in the source code files, a file was added to the desktop with a message of peace, morality, and trying to remember forgiveness when this is all over."

Snyk's detailed analysis rejects this claim, with the company accusing Nozaki Miller of trying obfuscate an attempt to spread malware. "This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms," it said.

"How does that reflect on the maintainer’s future reputation and stake in the developer community?" it asked. "Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?"

The company published a script for those using npm as their package manager. It will only allow npm to install benign versions of the software.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Best Linux file managers 2022: Customise your workflows
Linux

Best Linux file managers 2022: Customise your workflows

17 May 2022
Best Linux distros 2022
operating systems

Best Linux distros 2022

17 Mar 2022
Linux-based multi-cloud environments facing increased ransomware attacks
Linux

Linux-based multi-cloud environments facing increased ransomware attacks

9 Feb 2022
Vulnerability in Linux kernel could let hackers remotely take over systems
operating systems

Vulnerability in Linux kernel could let hackers remotely take over systems

5 Nov 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022