I’d like to preface this post by saying that I in no way support the actions taken by Russia in Ukraine. The actions of the Russian state in Ukraine are criminal and must be put to an end. Russia is very clearly on the wrong side of history. This post is not a commentary on politics or the war in Ukraine, it’s an expression of my perspective on “protestware”.
Malware And Terror
On March 7th Brandon Nozaki-Miller (RIAEvangelist) pushed malicious code to his Node.js package
node-ipc under the guise of an “ssl check”.
node-ipc averages over one million weekly downloads, as well as having major dependents such as
@vue/cli, the command line interface for the popular Node.js web framework Vue.js. This code first geo-located your machine (a privacy violation in its own right). Then, if your location matched Russia or Belarus, it would proceed to overwrite files on your system with a single heart emoji. If there was ever any doubt as to whether or not this was intentional, the fact that he took the time to obfuscate the code throws it out the window. The code was put on a single line in a single file with vital portions encoded in base64 in an effort to reduce readability. Nozaki-Miller later denied that it was possible the malicious code could be executed without modification. This assertion is blatantly false, as the code has been proven executable by several analysts.
The Oxford English Dictionary defines malware as “Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.” Let’s not beat around the bush here, the code pushed to
node-ipc by Nozaki-Miller was malware. In a GitHub issue opened on the
node-ipc repository (which has now been censored) Nozaki-Miller claims that he is in the right, as the code is “public, documented, licensed and open source”. This statement is true to some extent, as the code is publicly available and under a license that provides the code “as is”. From a legal perspective (obligatory I am not a lawyer), the fallout of this is not his problem. But, Nozaki-Miller is missing the point here; by intentionally distributing malware in a package you are going against fundamental free and open source software (FOSS) principles, as well as damaging the ecosystem. Regardless of license, FOSS is about a community working together to improve code; FOSS is about creation, not destruction. The intentional delivery of a malware payload via a trusted package is a clear act of demolition. Not only does it damage the ecosystem directly surrounding this package, it damages the wider community. In a package ecosystem as fragile as
npm, which is already reeling from several high profile supply chain incidents in recent years (
faker to name a few), actions like those of Nozaki-Miller only sow more distrust in the community.
The Oxford English Dictionary defines terrorism as “The calculated use of violence or threat of violence to inculcate fear … in the pursuit of goals that are generally political, religious or ideological.” Nozaki-Miller has effectively used software as a weapon to perpetrate violence against systems and to instill fear in the FOSS community. He has done this with the goal of pushing a political message and an ideology on “protestware”. By this definition, I will with no hesitation call what Nozaki-Miller did a calculated act of terror against the FOSS community.
“Protestware” is a new term (possibly coined by Tyler Resch in a now censored GitHub issue) for software with a goal of pushing political or ideological messages. This goal does not need to be primary, “protestware” can be a secondary goal of a piece of software as we saw with Nozaki-Miller’s
node-ipc. Not all forms of “protestware” are such radical acts of terror as
node-ipc. In fact, most are seemingly innocuous political messages baked into software (see Notepad++’s “Stand With Hong Kong” update for a non-Ukraine example). These messages may be nonviolent, but they still hurt the integrity of the FOSS ecosystem.
FOSS should not be a political matter. Developers of FOSS projects gain their platform via code. They should not use this platform to spread their ideology. FOSS is about software, not politics; collaboration on FOSS should not be hindered by differences in political ideology. The signal boosting of political ideology via FOSS platforms hurts collaboration and causes more problems than it solves. Full disclosure: I stand with Hong Kong and I stand with Ukraine. These issues mean a lot to me, but FOSS platforms should not be used for their advocacy. The use of FOSS to spread these messages sets a precedent for any other political message that any developer may want to push. The situation with
node-ipc could’ve easily happened in the opposite fashion. It could’ve been a Russian develeoper deleting files on American systems. I highly doubt any supporters of Nozaki-Miller would be advocating for a similar attack on American systems.
Political demonstration is an important part of democratic society. It has its place, but FOSS is not it. The advent of “protestware” is a slippery slope that will more likely than not lead to more incidents similar to
node-ipc. In order to protect FOSS we must put an end to “protestware” in its ranks and punish bad actors such as Nozaki-Miller.
In conclusion, “protestware” is a dangerous new trend that will only lead to fracture in the community. While users do hold some responsibility for their usage of software provided “as is”, there is also an expectation that the most basic principles of FOSS will be upheld. In the future, packages should be more thoroughly checked for malware to prevent blatant supply chain attacks like that of
node-ipc. We must work together as a community to rid FOSS of “protestware” and hold bad actors accountable.
Subscribe via email
- RIAEvangelist (Brandon Nozaki-Miller) GitHub account
- node-ipc on GitHub
- peacenotwar on GitHub
- node-ipc on npm
- peacenotwar on npm
- @vue/cli on npm
- The malicious code Nozaki-Miller pushed to node-ipc
- The commit containing the malicious code Nozaki-Miller pushed to node-ipc
- Notepad++ “Stand With Hong Kong” update
- synk Vulnerability DB breakdown of node-ipc malware
- synk blog post on node-ipc and peacenotwar malware
- Vulnerability breakdown by Tyler Resch
- GitHub issue with comments from Nozaki-Miller (1)
- GitHub issue with comments from Nozaki-Miller (2)
- GitHub issue about American NGO affected by malware (unverified)
- Ars Technica article on
- Bleeping Computer article on