Famous NPM Package Deletes Files To Protest Ukraine War (bleepingcomputer.com) 114
The developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War, BleepingComputer reports. From the article: Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages. With over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI.
Select versions (10.1.1 and 10.1.2) of the massively popular 'node-ipc' package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812. On March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open source software packages called peacenotwar and oneday-test on both npm and GitHub. The packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a "message of peace" on the Desktop of any user installing the packages. "This code serves as a non-destructive example of why controlling your node modules is important," explains RIAEvangelist.
Select versions (10.1.1 and 10.1.2) of the massively popular 'node-ipc' package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus. These versions are tracked under CVE-2022-23812. On March 8th, developer Brandon Nozaki Miller, aka RIAEvangelist released open source software packages called peacenotwar and oneday-test on both npm and GitHub. The packages appear to have been originally created by the developer as a means of peaceful protest, as they mainly add a "message of peace" on the Desktop of any user installing the packages. "This code serves as a non-destructive example of why controlling your node modules is important," explains RIAEvangelist.
And someone thought this was (Score:2, Insightful)
Don't start the comment in the (Score:5, Informative)
subject box. It's called subject box, not start-of-comment box.
Re:Don't start the comment in the (Score:4, Funny)
subject box. It's called subject box, not start-of-comment box.
time machine! I've just invented a
How much success have you had (Score:1)
ordering people around on the Internet?
Comment outside (Score:2)
This is the subject of my comment! (Score:3)
"a good idea" what? Where's the beginning of your comment, friend?
It was (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Yeah, prison material. But they will let him of the hook because it is ze russians.
Re: And someone thought this was (Score:1)
Re: And someone thought this was (Score:2)
I know exactly how to implement it.
isBadPerson(p) => true;
Re: (Score:3)
Software is provided as is. No laws were broken.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
The fact you think *this* act exposes the problems rather than the several previous examples we've covered on Slashdot just shows you're not paying attention. At least in this case they are targeting their efforts for a good cause rather than throwing a temper tantrum about support or whatever bullshit the last NPM story was.
Re: (Score:3)
All Russian government contractors, telecom contractors and businesses operate under an advisory that any update with date later than 2 days before the declaration of independence by the republics must undergo a security audit before use. Using code checked in after that date without an audit is a sackable offence.
So this update hit nobody in the government, nobody in the telecoms, practically nobody in the businesses.
It wiped every second opposition and anti-putin NGO server. You
Re:it's an awesome idea (Score:5, Insightful)
Or you could:
1. version lock libraries and dependencies
2. implement automated testing in your CI process
3. actually test your shit before deploying it to production
4. not run bleeding-edge versions unless there's a compelling reason to do so, such as fixing major vulnerabilites
5. did I mention testing somewhere before letting it anywhere near real data you care about?
6. back up your data
7. test your backups regularly because an untested backup isn't a backup.
I mean, who just imports bleeding edge versions of libraries and shouts YEE HAW while deploying to a production system untested, with no backup? That's just plain fucking stupid.
And apparently, this looks too much like ascii art? Whereas actual ascii swastikas appear regularly in this comment section. Well done, Slashdot.
Re: (Score:2)
Re: it's an awesome idea (Score:2)
Version lock isn't as east if you have a time delay so it's inserted a few versions back.
But deleting files is a bit crude, better to throw up pop-ups with information about the war under certain conditions.
Re: it's an awesome idea (Score:2)
Re: Testing necessary but not sufficient (Score:2)
This isn't necessarily true. If you promote properly through testing environments, the sleeper code will trigger in a test environment before production with the only question being is the lag between prod and test environments significant enough to determine the issue. In fact depending if you have 3 or 4 test environments and adequate documentation of promotion of code, then you will have a smoking gun when you look at the files modifications date and see that the specific change was promoted some consist
Just like with Colors and Faker (Score:5, Interesting)
Re: (Score:3)
Maybe people
rely
on third party libraries
so they can
creatively and effectively write their own code
instead of reinventing the wheel
Re: (Score:2)
The definition of progress, though I think version-pinning will continue to become more of a thing in light of the situation.
Re: (Score:2)
And maybe all companies should start mining their own raw materials to make their own parts to make their own products! /sarcasm
Programmers are not paid to rewrite existing libraries, they're paid to write software that manages their company's data.
Re: (Score:2)
And those companies didn't pay a cent to the OSS library developers.
It's free, so as the old saying goes if it breaks you get to keep both halves.
Re: (Score:2)
If I buy raw materials from a vendor they will certify their product with test results. If the material is defective then you have legal recourse. All software is use at your own risk unless you get into medical or aviation fields. You downloaded bad code and got bit in the ass? That’s 100% your fault.
Re: (Score:2)
It's fine to use libraries. If it isn't, where do we stop? Should I be fabbing my own silicon or is it OK with you if I let AMD do it?
The problem is an uncontrolled update process and woefully inadequate vetting of libraries.
Re: (Score:2)
Should I be fabbing my own silicon or is it OK with you if I let AMD do it?
Pedantic nitpick: AMD does not fab silicon. They let TSMC do it.
Re: (Score:2)
and completely inadequate testing. Don't forget the testing, since apparently everyone else already has.
Re: (Score:2)
Yes. Personally, I wouldn't trust an update until it proved itself on a VM. The VM would need to have checkpoints so I could roll it back if an update did something unfortunate.
That would be fucking stupid (Score:5, Insightful)
> Maybe people should rely a little less on third party libraries to do all their work for them, and actually do their job and write code. Programmers nowadays are 90% just stitching together code someone else wrote
That would be fucking stupid. Work the same hours and produce 90% less usefulness?
Maybe programmers should only write assembler, rather than using compilers someone else wrote. In what case we'd be at the level deploying touch-tone phones about now. Maybe delivery drivers should design and manufacturer their own cars before making a delivery. No using someone else's engine design, either - you should design your own engine.
Hey, no using a steel forge made by someone else! You gotta forge your own steel after designing and building your own steel plant, right?
Don't dare use someone else's dump truck design at your mine, either. Gotta design and build your own dump truck to use at your own mine to make your own steel to make your own engine parts to build your own car to make that delivery.
That's actually a large part of the difference between humans and other animals. Humans get a car from someone else. The car company just assembles the components. They got the engine, wheels, etc from someone else. The guy making the wheels is just stamping steel he got from someone else.
As opposed to animals, who don't use tools they bought from another horse.
It may be best if you just don't talk anymore. It's clear you don't have intelligent thoughts.
What people SHOULD do, however, is take a quick look at the j ages in Git before deploying new code.
Re: (Score:2)
How was software written in the days before before online repos?
Paper tape in the 1950s (Score:2)
> How was software written in the days before before online repos?
With offline repos.
Immediately before the internet,we had these plastic circles, Mylar. The plastic was coated with iron oxide. You'd get the libraries encoded into the magnetic polarity of the iron oxide particles.
In the 1950s the ESDAC repo was on stored on paper tape and copied into programs by copying the holes.
https://upload.wikimedia.org/w... [wikimedia.org]
Re: That would be fucking stupid (Score:2)
Slowly. So slowly, that if you tried to do it today and didn't have a captive market you'd be out of business soon. That ship has sailed.
Re: (Score:3)
Maybe people should rely a little less on third party libraries to do all their work for them, and actually do their job and write code. Programmers nowadays are 90% just stitching together code someone else wrote for them, and have little or no ability to creatively and effectively write their own code.
And the work crew that frames your house is "just stitching together" lumber that someone else milled for them...which is exactly what their job is. Even though we may hold them accountable for the final product they deliver to you, it simply isn't their job to mill the lumber before they start framing your house. You can't build a skyscraper—at least not on a reasonable budget or in a reasonable time—if you demand that the construction crew smelts their own ore after mining it with their own ha
Re: (Score:2)
One might go on to say that stitching together lumber that someone else milled is still too much work. It's possible to buy prefabricated houses, mobile homes, shipping containers, sheds, etc.
So someone makes skyscrapers buy stacking mobile homes on top of each other. It's too much work to make our own walls! They are already made for us, why re-invent the wall?
And so we get the software equivalent of of a skyscraper of stacked mobile homes, because the developers can't design support columns, pour concr
Re: (Score:2)
No disagreement from me on any of that, just wholehearted agreement. I’ll push back on the notion that programmers should be building everything they use, but I won’t push back in the least on the idea that they remain accountable for ensuring that the tools, parts, and resources they use are fit for purpose.
Re: Just like with Colors and Faker (Score:1)
Re: (Score:2)
Or pin versions and not update unless there's a good reason to, such as vulnerability patching or needed functionality?
Updating a library for the sake of updating a library is nothing but risk. Anyone who is competent should realize that, because they've probably been burned by a shitty refactor where someone hasn't properly deprecated things in the past and it breaks downstream code, much less intentional asshattery such as what TFA is about.
Re: (Score:2)
Programmers nowadays are 90% just stitching together code someone else wrote for them, and have little or no ability to creatively and effectively write their own code.
It's probably way higher than 90% and it's been that way since we moved on from machine code to assembler.
Re: PE crazy, crazy PE (Score:2)
It reminds me of rap artists from the 90's that would just sample other people's songs and call it their own. Think what you want but you can't deny that Fear of a Black Planet, with its hundreds of samples, was a landmark album.
Re: (Score:2)
It's so weird anybody would ever use code written by someone else.
Open source is the worst!
Re: (Score:3)
People here will blame the developers using the library, rather than the intentionally malicious library maintainer themselves.
I would ask why they're using source code they haven't audited first. Isn't that the entire point of the movement?
Re: (Score:2)
I would ask why they're using source code they haven't audited first. Isn't that the entire point of the movement?
Exactly. Every small business should employ a few thousand security professionals to audit every line of every update they install.
Why not?
Re: (Score:2)
All open source is use at your own risk.
Re: (Score:2)
So is closed source.
And self-written source.
Re: (Score:2)
Re: (Score:2)
* I believe snyk would have caught this. Not that I use it.
* grepping for writeFile
Re: (Score:2)
> People here will blame the developers using the library, rather than the intentionally malicious library maintainer themselves.
Hey, always carefully examine every piece of code your project incorporates!
Also: what, you haven't applied the security updates released YESTERDAY? What kind of irresponsible fool are you to not have auto-updates turned on?
I'm sure every tiny project has a full CI system with full coverage, too.
In fantasyland, we'd have this (Score:2)
Wouldn't it be AMAZING if GitHub had a button you could click and see exactly what has changed between this version and the last? So it two minutes you could check for "rm -rf /".
But seriously, I do understand the tension you're talking about.
Fortunately, the button is there, for open source.
For Microsoft, there is a more difficult balance between how many days you wait before updating.
Re: (Score:2)
People should (but won't) blame the shoddy, cavalier JS ecosystem that allows things like this to happen in the first place.
Re: (Score:2)
The war is a little bigger than a minor open source developer squabble.
Still, at this point everyone knows they need to make backups, and everyone knows they need to manager their dependencies.
Re: Just like with Colors and Faker (Score:1)
Re: (Score:2)
There are companies like Jfrog that make money off managing dependencies, so it definitely happens.
At a minimum, you should be specifying a version.
Re: (Score:3)
Honestly, it is mixed. By this point if you're allowing NPMs to randomly update without any sort of QC process anywhere outside of a development sandbox, you're crazy.
At the same time, the list of things wrong with the developer's actions is extensive.
Re: (Score:2)
There's plenty of blame to go around. Let's not forget NPM, who should by now have put something in place to stop this happening.
Re: (Score:2)
I'm going to blame an entire development ecosystem that encourages developers to just blindly include the 'latest' version of something taken from an upstream repo that has no significant controls on it's contents. We've had multiple instances of things getting broken/taken over/turned into malware and there is no longer any excuse for just blindly pulling shit in!
Yes, keeping an eye on the things you depend on DOES in fact take extra work. Perhaps you could, I don't know, pay someone to do that work?
Shocki
Re: Just like with Colors and Faker (Score:2)
You're Next (Score:1)
Re: (Score:2)
Maybe don't use tools that automatically download new versions of third-party libraries?
Just put the necessary work into managing your dependencies. You'll very quickly discover how few you actually end up "needing" when there's a real cost associated with including each one.
As a bonus, your project will be smaller, faster, and easier to maintain. Your users will thank you.
Re: (Score:2)
Yes, the value of zero-transitive-dependencies libraries is often ignored. Kudos to library developers who prioritize this.
Re: (Score:2)
We have had a solution for a long time. It's called version control.
Instead of always installing the latest, which is exactly how you get burned by this, declaratively lock your version number and always use that version. And then when you need to update, test the new version before deploying to anything that matters.
What kind of fucking cowboys just always use the latest version of everything at install-time and expect their code to actually function?
First they came for Russia, and I thought... (Score:2)
Then I thought a little harder, and it started to bug me.
Re: (Score:1)
eh, screw Russia.
Then I thought a little harder, and
..nope, still thinking "screw Russia."
(Fixed that for you)
Re:First they came for Russia, and I thought... (Score:4, Interesting)
Re: (Score:2)
with Russian-language keyboards associated with them
That part-myth was debunked, the tools actually check to see if the Russian-language and locale are the *default* set. Simply having a Russian keyboard associated with your PC doesn't prevent the malware from executing.
Re: (Score:2)
HKEY_LOCAL_MACHINE\SYSTEM\Keyboard Layout\Preload
"2"="00000419"
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
"2"="00000419"
Re: (Score:2)
It should bother you if you aren't managing your dependencies. This kind of thing has been going on almost as long as NPM has existed. It's a known weakness of the platform, and has been criticized for many years.
Software sabotage (Score:1)
Breaking of trust (Score:1)
Re: (Score:1)
Re: (Score:2)
By this point, you shouldn't trust NPM. The trust was broken long ago.
Re: (Score:1)
But should have we trusted random strangers on the internet in the first place? The practice how casually random libraries are included into software projects have been scaring me already for a while. It could be slightly better if all software was run in a sandbox, but even on macOS, where sandboxing is pretty much streamlined, many developers just don't bother to use the feature. Various Electron apps without sandboxing with randomly downloaded plugins (I am looking at multiple IDE-like editors) seems lik
Trust is for suckers. (Score:2)
The problem with the open source community is it's made up of humans.
Not sure why my submission summary was denied... (Score:2)
My summary used the same article, and the summary is almost the same. Except in my opinion it added the most important part of the article in that the biggest issue with this is that it undermines trust in open source community.
Re: (Score:1)
Well then you have your answer, no one may question the Open Source Reich!
it undermines trust in open source community (Score:1)
Any society runs on an element of trust. The more complex the society the more trust is needed.
From the food we eat, the delivery distribution networks to the credo we use to pay for it.
Normally the fact that the actor's identity is known usually prevents such malicious attacks.
Imagine the actor is a person who is known, in good standing, and authorised and then blows up their customers' property, deliberately.
Would you buy that brand again?
But then again I wouldn't believe people would use
Nothing peaceful about it. (Score:5, Insightful)
Re: (Score:2)
Still.
Re:Nothing peaceful about it. (Score:4, Interesting)
What part of as is no warranty implied did you not understand?
Re: (Score:2)
Goes hand in hand with no trust implied either. A strong position for open-source advocates in their continued battles against proprietary.
Re: Nothing peaceful about it. (Score:2)
His actions are far from peaceful. It's exactly the same as smashing local business windows or setting cars on fire during a protest. You're destroying people's work. This developer should be barred from Github for doing such a thing.
You bring up an interesting analogy. The author can employ the Rittenhouse defense. Belarus and Russia were going to come for him next and use his code against him, self defense, cry on the witness stand. Judge will say you can't call the victims victims because Belarusians and Russians started it or some crap like that.
Re: (Score:2)
It's exactly the same as smashing local business windows or setting cars on fire during a protest.
Yeah but only businesses and cars supporting a murderous government. You seem to not understand what the entire world's strategy is at the moment. Do you think McDonalds pulled out of Russia so that Putin himself couldn't buy a BigMac?
People are responsible for their government. Their government is currently starting a war in Europe. Fuck the people themselves, they can take action for their responsibilities of years of not standing up or simply rolling over and accepting what the government tells them.
Re: Nothing peaceful about it. (Score:2)
Re: (Score:2)
> This developer should be strung up by his thumbs and flogged for doing such a thing
There, FTFY
Trust is hard (Score:2)
This is why software devs should never trust third parties. Any third party. Minimal, flat dependencies for any application. The more you can build/maintain by yourself, the better off you are in the long run. That said, some things are actually very hard to do efficiently and/or securely in software and so you have to pick and choose your battles, er, libraries carefully. Image processing, cryptography, video game engines, Unicode, to name a few areas where a library makes sense - and if the library i
Protesting "for" or "against"? (Score:2)
Basic grammar, people.
Protest or Malware? (Score:2)
<insert both meme>
mirror everything (Score:2)
Re: (Score:2)
Is it different from Microsoft disabling licenses (Score:2)
This is a bad move to turn software and licensing into weapons or coercion tools. What this author did, also damage the reputation of every Node/JS softwares.
But is it that much different from what Microsoft did by revoking licenses in Russia?
The message Microsoft confirmed is that you don't own the software and Microsoft keeps the master key.
The message that this library author passed, is that the licensing of the library is just words without binding and if author can breach license, anyone can do (I doub
Re: (Score:2)
It would have been a better advocacy for open-source to say, we don't use our software for political statements, unlike say proprietary. Now that advantage has been burned to ashes because people can't separate the two. And people WILL remember.
Re: (Score:2)
It would have been a better advocacy for open-source to say, we don't use our software for political statements,
Well, open source/Free software is a political movement so that would have been a lie.
Famous? (Score:2)
More like "infamous" now...
This one definitely applies. (Score:1)
dummy post to remove mod vode (Score:1)