March 18, 2022

Protestware

Industry: Technology | Level: Strategic | Source: Synk

To protest the ongoing conflict between Russia and Ukraine, the developer of NPM package, node-ipc, released compromised versions of the software for users in Russia and Belarus. Sabotaged versions of the packages were released on March 8th by the developer Brandon Nozaki Miller, aka RIAEvangelist. Described by Snyk as a supply chain-style attack, compromised versions of the package cause impact on the victim host by “corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms.” Tracked under CVE-2022-23812, the reported malicious versions of the software are node-ipc versions 10.1.1 and 10.1.2, the versions are no longer available on GitHub or npm with version 10.1.3 released, that does not contain the delete operations in the code.