Dev Sabotages Popular NPM Package to Protest Russian Invasion

In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.

The developer behind the hugely popular npm package “node-ipc” has released sabotaged versions of the library to condemn Russia’s invasion of Ukraine: a supply-chain tinkering that he’d prefer to call “protestware” as opposed to “malware.”

Regardless of the peace-not-war messaging, node-ipc is now being tracked as a malicious package: one with malicious code that targets users with IP addresses located in Russia or Belarus that overwrites their files with a heart emoji.

It started on March 8, when npm maintainer Brandon Nozaki Miller (aka RIAEvangelist) wrote source code and published an npm package called peacenotwar and oneday-test on both npm and GitHub.

The peacenotwar module adds a message of peace to users’ desktops. It only does it once, “just to be polite,” according to Miller’s module description:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message

Read More: