Security News > 2022 > March > Dev Sabotages Popular NPM Package to Protest Russian Invasion

The developer behind the hugely popular npm package "Node-ipc" has released sabotaged versions of the library to condemn Russia's invasion of Ukraine: a supply-chain tinkering that he'd prefer to call "Protestware" as opposed to "Malware."

It started on March 8, when npm maintainer Brandon Nozaki Miller wrote source code and published an npm package called peacenotwar and oneday-test on both npm and GitHub.

Synk illustrated the nested dependency tree, shown below, which illustrates "How node-ipc trickles into the Vue.js CLI npm package and further promotes the need to vet nested dependencies as a holistic risk."

On Tuesday, March 15, Vue.js users started experiencing what Thal said "Can only be described as a supply chain attack impacting the npm ecosystem" - the result of the nested dependencies node-ipc and peacenotwar "Being sabotaged as an act of protest by the maintainer of the node-ipc package."

As far as the peacenotwar supply chain attack goes, Snyk is tracking the security incidents as CVE-2022-23812 for node-ipc - a vulnerability that, as yet, hasn't been analyzed by NIST's National Vulnerability Database but which Synk rates with a critical score of 9.8, given that it's easy to exploit.

Synk is tracking the incidents with the peacenotwar and oneday-test npm modules as SNYK-JS-PEACENOTWAR-2426724, with a low criticality rating of 3.7, given that attack complexity is high.

News URL

https://threatpost.com/dev-sabotages-popular-npm-package-protest-russian-invasion/178972/