What if, out of nowhere, your computer displayed a “message of peace”? You would probably suspect a virus or a hacker. But this is not the case for developers who use a module called node-ipc: it was sabotaged by its own creator to display messages in support of Ukraine.
It is not the first time that a programmer uses his own project to speak out against something. Earlier this year, for example, the maintainer of the faker.js and colors.js libraries sabotaged both projects to make them display protest messages.
The phenomenon even got its name: protestware.
Transforming node-ipc to “protestware“
Behold, some recent versions of node-ipc started to erase data or overwrite files on the computers of developers who use it. Instead, text files appear containing the so-called “messages of peace”.
This is typical malware behavior, so much so that the problem was formally recognized with the identification CVE-2022-23812. But to understand what happened, we need to go back to a recent date: March 8, 2022.
An investigation by security firm Snyk points out that it was on this day that developer Brandon Nozaki Miller, also known by the codename RIAEvangelist, published an NPM package called peacenotwar (“peace, not war”, in free translation). It describes the module as follows:
This code serves as a non-destructive example of why it is important to control your Node. This also serves as a non-violent protest against Russia’s aggression that threatens the world right now.
What this module does, in effect, is display a “message of peace” on the user’s desktop. If you think this is too much of a coincidence, you think so: RIAEvangelist is also the developer behind node-ipc.
As of March 15, the peacenotwar had barely been downloaded. But on that date, the package experienced a spike in downloads. Maybe you already guessed the reason: yes, RIAEvangelist put peacenotwar as a dependency of node-ipc.
This means that all projects that use node-ipc can make the user’s screen display such a message, after all, the package will “call” peacenotwar. But note that this module only prints a text, it does not erase data.
According to BleepingComputer, destructive instructions were inserted into “selected” versions of node-ipc. An analysis revealed that the malicious code was originally written to identify the user’s IP and erase data only if the address originates from Russia or Belarus.
Solution: use an old version
As far as is known so far, node-ipc versions 10.1.1 and 10.1.2 are the ones that carry the destructive load, but they were removed from NPM about 24 hours after its release.
Versions 10.1.3, 11.0.0 and higher do not contain instructions to delete files, but preserve peacenotwar as a dependency.
The solution suggested by Snyk researchers so that developers can get rid of this protestware is to prioritize the use of “clean” versions of node-ipc, such as 9.2.1 and 10.1.0.
The episode also shows the importance of developers specifying versions of essential libraries or modules in their projects (if the version is not specified, as a rule, the latest is downloaded).
But this is the kind of “lesson” that most programmers would like to receive in less conflicting circumstances. Although they abhor Russia’s invasion of Ukraine, many of them understand that protestware is not the best way to express opposition to the conflict.
On GitHub, a developer even ranted against RIAEvangelist (the message was deleted, but the BleepingComputer reproduced it):
This behavior sucks. Sure, war is bad, but that doesn’t justify this behavior. (…) You have just successfully ruined the open source community. Are you happy now, @RIAEvangelist?
Apparently, it was in this discussion that the term “protestware” appeared. RIAEvangelist even commented that the expression is “genius”. There, he has also defended himself: “I just feel morally obligated to do something and it happens to be something that I can actually do by being within my area”.