Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming

Famous NPM Package Deletes Files To Protest Ukraine War (bleepingcomputer.com) 114

The developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War, BleepingComputer reports. From the article: Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages. With over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI.

Select versions (10.1.1 and 10.1.2) of the massively popular 'node-ipc' package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812. On March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open source software packages called peacenotwar and oneday-test on both npm and GitHub. The packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a "message of peace" on the Desktop of any user installing the packages. "This code serves as a non-destructive example of why controlling your node modules is important," explains RIAEvangelist.

This discussion has been archived. No new comments can be posted.

Famous NPM Package Deletes Files To Protest Ukraine War

Comments Filter:
  • a good idea? The problems the act exposes seems huge to me!
    • by Stormwatch ( 703920 ) <rodrigogirao AT hotmail DOT com> on Friday March 18, 2022 @04:17PM (#62370075) Homepage

      subject box. It's called subject box, not start-of-comment box.

    • "a good idea" what? Where's the beginning of your comment, friend?

    • Maybe the developer figured out that certain IP address blocks are used by evil Bela/Russian hackers while citizens already opposed to the regime are all using some sort of VPN or anonymizing proxy.
    • NPC deletes NPM. Next on NPR.
    • by Aubz ( 7986666 )
      Its not as if code changes targeting one country, in this case Russia, could not be repurposed to target another country, say the US, is it, super genius. This virtue signalling moron should never be trusted any where near a code repository. What a fucking retarded arse wipe.
    • The fact you think *this* act exposes the problems rather than the several previous examples we've covered on Slashdot just shows you're not paying attention. At least in this case they are targeting their efforts for a good cause rather than throwing a temper tantrum about support or whatever bullshit the last NPM story was.

    • He is an Utter Cretin

      All Russian government contractors, telecom contractors and businesses operate under an advisory that any update with date later than 2 days before the declaration of independence by the republics must undergo a security audit before use. Using code checked in after that date without an audit is a sackable offence.

      So this update hit nobody in the government, nobody in the telecoms, practically nobody in the businesses.

      It wiped every second opposition and anti-putin NGO server. You

  • by Merk42 ( 1906718 ) on Friday March 18, 2022 @03:49PM (#62369977)
    People here will blame the developers using the library, rather than the intentionally malicious library maintainer themselves.
    • People here will blame the developers using the library, rather than the intentionally malicious library maintainer themselves.

      I would ask why they're using source code they haven't audited first. Isn't that the entire point of the movement?

    • > People here will blame the developers using the library, rather than the intentionally malicious library maintainer themselves.

      Hey, always carefully examine every piece of code your project incorporates!

      Also: what, you haven't applied the security updates released YESTERDAY? What kind of irresponsible fool are you to not have auto-updates turned on?

      I'm sure every tiny project has a full CI system with full coverage, too.

      • Wouldn't it be AMAZING if GitHub had a button you could click and see exactly what has changed between this version and the last? So it two minutes you could check for "rm -rf /".

        But seriously, I do understand the tension you're talking about.
        Fortunately, the button is there, for open source.

        For Microsoft, there is a more difficult balance between how many days you wait before updating.

    • by Dracos ( 107777 )

      People should (but won't) blame the shoddy, cavalier JS ecosystem that allows things like this to happen in the first place.

    • The war is a little bigger than a minor open source developer squabble.

      Still, at this point everyone knows they need to make backups, and everyone knows they need to manager their dependencies.

      • I too have seen these people that manage their dependencies. They're easy to spot because they look like horses, but they have a spiral horn protruding up from the bridge of their nose. I once saw one but it could also have been the mushrooms.
        • There are companies like Jfrog that make money off managing dependencies, so it definitely happens.
          At a minimum, you should be specifying a version.

    • by sjames ( 1099 )

      Honestly, it is mixed. By this point if you're allowing NPMs to randomly update without any sort of QC process anywhere outside of a development sandbox, you're crazy.

      At the same time, the list of things wrong with the developer's actions is extensive.

    • by AmiMoJo ( 196126 )

      There's plenty of blame to go around. Let's not forget NPM, who should by now have put something in place to stop this happening.

    • by mhkohne ( 3854 )

      I'm going to blame an entire development ecosystem that encourages developers to just blindly include the 'latest' version of something taken from an upstream repo that has no significant controls on it's contents. We've had multiple instances of things getting broken/taken over/turned into malware and there is no longer any excuse for just blindly pulling shit in!

      Yes, keeping an eye on the things you depend on DOES in fact take extra work. Perhaps you could, I don't know, pay someone to do that work?

      Shocki

    • Yeah he obfuscated the code⦠and was incredibly lazy as well. He calls some api which tells him the origin country and trusts the result blindly, too bad of the user is in random vpn exit point etc, or the api is just wrong. Anyway he seems to use a fixed api key and the api owners seem to have blocked it to stop anyone falling for this. Also anyone with decent security practices would not be impacted by this of they were blocking outgoing requests so that it canâ(TM)t hit the api.
  • The next one to have this happen is whoever maintainers disagree with. There needs to be some set of rules to prevent this behavior.
    • by narcc ( 412956 )

      Maybe don't use tools that automatically download new versions of third-party libraries?

      Just put the necessary work into managing your dependencies. You'll very quickly discover how few you actually end up "needing" when there's a real cost associated with including each one.

      As a bonus, your project will be smaller, faster, and easier to maintain. Your users will thank you.

      • Yes, the value of zero-transitive-dependencies libraries is often ignored. Kudos to library developers who prioritize this.

    • We have had a solution for a long time. It's called version control.

      Instead of always installing the latest, which is exactly how you get burned by this, declaratively lock your version number and always use that version. And then when you need to update, test the new version before deploying to anything that matters.

      What kind of fucking cowboys just always use the latest version of everything at install-time and expect their code to actually function?

  • eh, screw Russia.

    Then I thought a little harder, and it started to bug me.
    • eh, screw Russia.

      Then I thought a little harder, and

      ..nope, still thinking "screw Russia."

      (Fixed that for you)

    • by xlsior ( 524145 ) on Friday March 18, 2022 @04:17PM (#62370081)
      Geo-targeted behavior isn't exactly new -- for years now, many of the nasty crypto ransomware tools from Russian hacker groups are programmed not to activate their payload on computers with Russian-language keyboards associated with them, in no small part because Russian law enforcement doesn't particularly care about the damage caused abroad as long as it doesn't impact themselves.
      • with Russian-language keyboards associated with them

        That part-myth was debunked, the tools actually check to see if the Russian-language and locale are the *default* set. Simply having a Russian keyboard associated with your PC doesn't prevent the malware from executing.

    • It should bother you if you aren't managing your dependencies. This kind of thing has been going on almost as long as NPM has existed. It's a known weakness of the platform, and has been criticized for many years.

  • This is the best report on the subject by far: https://arstechnica.com/inform... [arstechnica.com]
  • The problem with this is that all software updates and installs are based on trust. We trust our developers to give us a non-malicious. When the developers weaponize the updates based on their own political agendas (no matter how righteous they are) that trust is broken.
    • That sort of trust is unnecessary and misplaced from the get-go. Also trust, but verify and accept that you if you choose not to, it will be at your own peril and that of all those downstream of your dumb, fragile, broken trust chain. This sounds a lot like WAHHH THE FREE SHIT GIVER DIDNT DO WHAT I WANTED THEM TO WITH MY (their) FREE SHIT - I WANT TO BE ABLE TO BLINDLY TRUST AND CONTRIBUTE NOTHING REEEE.
    • By this point, you shouldn't trust NPM. The trust was broken long ago.

    • by augo ( 6575028 )

      But should have we trusted random strangers on the internet in the first place? The practice how casually random libraries are included into software projects have been scaring me already for a while. It could be slightly better if all software was run in a sandbox, but even on macOS, where sandboxing is pretty much streamlined, many developers just don't bother to use the feature. Various Electron apps without sandboxing with randomly downloaded plugins (I am looking at multiple IDE-like editors) seems lik

    • Calculate your risks and have an escape plan. The great thing about open source is you can maintain it yourself if you have to.

      The problem with the open source community is it's made up of humans.
  • My summary used the same article, and the summary is almost the same. Except in my opinion it added the most important part of the article in that the biggest issue with this is that it undermines trust in open source community.

    • by Anonymous Coward

      Well then you have your answer, no one may question the Open Source Reich!

    • I agree.
      Any society runs on an element of trust. The more complex the society the more trust is needed.
      From the food we eat, the delivery distribution networks to the credo we use to pay for it.

      Normally the fact that the actor's identity is known usually prevents such malicious attacks.
      Imagine the actor is a person who is known, in good standing, and authorised and then blows up their customers' property, deliberately.
      Would you buy that brand again?
      But then again I wouldn't believe people would use
  • by SuperDre ( 982372 ) on Friday March 18, 2022 @04:28PM (#62370117) Homepage
    His actions are far from peaceful. It's exactly the same as smashing local business windows or setting cars on fire during a protest. You're destroying people's work. This developer should be barred from Github for doing such a thing.
    • I agree, honestly. That previous NPM package that was sabotaged to just not work wasn't great, but wasn't destructive (merely obstructive). This is on a whole other level. Honestly, I was expecting a mention about how many lawsuits had been filed until the last sentence where it clarifies that it was a targeted attack against this months whipping boys.
      Still.
    • by ArchieBunker ( 132337 ) on Friday March 18, 2022 @06:08PM (#62370459)

      What part of as is no warranty implied did you not understand?

      • Goes hand in hand with no trust implied either. A strong position for open-source advocates in their continued battles against proprietary.

    • His actions are far from peaceful. It's exactly the same as smashing local business windows or setting cars on fire during a protest. You're destroying people's work. This developer should be barred from Github for doing such a thing.

      You bring up an interesting analogy. The author can employ the Rittenhouse defense. Belarus and Russia were going to come for him next and use his code against him, self defense, cry on the witness stand. Judge will say you can't call the victims victims because Belarusians and Russians started it or some crap like that.

    • It's exactly the same as smashing local business windows or setting cars on fire during a protest.

      Yeah but only businesses and cars supporting a murderous government. You seem to not understand what the entire world's strategy is at the moment. Do you think McDonalds pulled out of Russia so that Putin himself couldn't buy a BigMac?

      People are responsible for their government. Their government is currently starting a war in Europe. Fuck the people themselves, they can take action for their responsibilities of years of not standing up or simply rolling over and accepting what the government tells them.

      • Ahh so those businesses whose windows are smashed or robbed and those owners of cars who got set on fire during demonstrations were all responsible for what their government did, so in that case you are also responsible for any innocent death your government made, so all americans are responsible for any civilian death during a bombing.
    • by Wolfrider ( 856 )

      > This developer should be strung up by his thumbs and flogged for doing such a thing

      There, FTFY

  • This is why software devs should never trust third parties. Any third party. Minimal, flat dependencies for any application. The more you can build/maintain by yourself, the better off you are in the long run. That said, some things are actually very hard to do efficiently and/or securely in software and so you have to pick and choose your battles, er, libraries carefully. Image processing, cryptography, video game engines, Unicode, to name a few areas where a library makes sense - and if the library i

  • Basic grammar, people.

  • <insert both meme>

  • That's why people should use private mirrors for everything and vet components used in the applications. One never knows when some random developer may experience mental episode.
  • This is a bad move to turn software and licensing into weapons or coercion tools. What this author did, also damage the reputation of every Node/JS softwares.

    But is it that much different from what Microsoft did by revoking licenses in Russia?

    The message Microsoft confirmed is that you don't own the software and Microsoft keeps the master key.

    The message that this library author passed, is that the licensing of the library is just words without binding and if author can breach license, anyone can do (I doub

    • It would have been a better advocacy for open-source to say, we don't use our software for political statements, unlike say proprietary. Now that advantage has been burned to ashes because people can't separate the two. And people WILL remember.

      • by nagora ( 177841 )

        It would have been a better advocacy for open-source to say, we don't use our software for political statements,

        Well, open source/Free software is a political movement so that would have been a lie.

  • More like "infamous" now...

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...