The developer of a popular open-source tool added pro-Ukraine “protestware” to the software, prominent cybersecurity journalist Brian Krebs reported on Thursday.
Cybersecurity startup Snyk Ltd. provided a technical analysis of the incident in a blog post. The incident began on March 7 when the developer of node-ipc, the GitHub user RIAEvangelist, uploaded a new release of the tool referred to as version 10.1.1.
According to Snyk, version 10.1.1 of node-ipc included a snippet of code designed to activate if the tool is downloaded onto a computer located in Russia or Belarus. The code finds files on the user’s computer and overwrites them with a heart emoji, Snyk detailed.
Four hours after version 10.1.1 of node-ipc was released with the data wiping code, RIAEvangelist uploaded a newer version of the tool with practically identical contents. Five hours after that, RIAEvangelist released a third update that “seems to have removed all indications of the aforementioned destructive payload,” Snyk detailed.
Overall, the data wiping code was part of node-ipc for less than a day, according to Snyk.
On March 8, the day after the data wiping code was added and then removed, yet another update rolled out to node-ipc. This update contained a module called peacenotwar that included the description “this code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against the aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite. ”
Another significant development occurred this past Tuesday. That day, RIAEvangelist added the peacenotwar module originally rolled out on March 8 to a different version of node-ipc known as node-ipc 9.2.2.
The 9.2.2 version of node-ipc is notable because it’s used by many other open-source projects, including the popular Vue.js framework for creating application interfaces. Consequently, the peacenotwar module was added to Vue.js.
Open-source software security is becoming a bigger focus for the tech industry. Last month, an industry group backed by Microsoft Corp., Google LLC, Intel Corp. and other major tech firms launched an open-source security initiative called the Alpha-Omega Project. The initiative aims to fix vulnerabilities in open-source projects and encourage broader adoption of cybersecurity best practices.