Let’s start with setting one thing straight: war is bad. Regardless of which side you support (or you don’t agree with), politics and programming should never get mixed up. “Protestware” should not exist as a term, especially when it comes as a distructive malware.
If you’re going to write free open-source software, do it thinking that nefarious people might use it. Or don’t write it at all.
News recently broke that former-motorcyclist, current-programmer and actual-moron RIAEvangelist, also known by his ‘murican name Brandon Nozaki Miller, in a move that can only be described as a supply chain attack impacting the npm ecosystem, decided to auto sabotage his packages: node-ipc and peacenotwar by pushing some malicious code which does the following:
- From a 50/50 random chance, it decides whether to stop executing.
- If it continues, it uses an online geolocation API to retrieve the user’s location via their IP address.
- If the user IP address is located in Russia or Belarus*, it will proceed to recursively overwrite all of their files with a “❤️”, effectively wiping the whole computer.
The geolocation API key that was used is no longer active, so the malware doesn’t work anymore, but the code already affected many innocent users.
Luckily, I wasn’t affected by this, because I’ve avoided the junk that the npm ecosystem is, and I’m not going to talk too much about it, because you can find more here, including reports of large innocent projects that were affected (VueJS, Unity), a reportedly serious victim (an unnamed NGO that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states) and how the dipshit is trying to cover up the entire thing by editing and removing comments and issues on github that call out his malware.
The article published by Snyk is very thorough and shows how bad the code is.
Also, this shit is so bad it’s been assigned CVE-2022-23812