Targeted ‘Protestware’ Attack On Russia, Belarus Computers Draws Criticism From Open Source Community

The maintainer of the widely-used networking software node-ipc drew backlash from the Open Source community earlier this month after a malicious code targeting users in Russia and Belarus that rewrites local files with anti-war messages was added to the application.

The software’s maintainer, Brandon Nozaki Miller, known online as RIAEvangelist, crafted the additional code two weeks ago as part of a new version of the software’s code library. Described as “protestware,” the additional code included a function that analyzed the IP address of anyone that downloaded the application. If the IP address was recognized as originating from Russia or Belarus, the malicious code wiped files on the device in use and replaced them with heart emojis.

According to Bleeping Computer, Miller initially released the code, titled “peacenotwar,” independent from node-ipc, but it was later included as a dependency in the popular application’s code. The move basically forced portions of the one million users that download node-ipc on a weekly basis to download “peacenotwar” without their knowledge. Even if users did visually inspect the code for malicious content, Miller disguised it to make detection more difficult.

Security firm Snyk published a report on the incident Wednesday calling “peacenotwar’s” implementation “a very clear abuse” and called Miller’s future involvement in maintaining open source applications into question. “Even if the deliberate and dangerous act of RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community,” wrote Snyk researcher Liran Tai. The report noted that Miller currently maintains more than 40 similar code libraries that constitute “hundreds of millions of downloads.”

In an email to Motherboard, Miller denied that the code had the ability to rewrite files on computers. “It only puts a file on the desktop,” he wrote. Miller’s official description of “peacenotwar” says it is a “non-destructive example of why controlling your node modules is important” and “ a non-violent protest against Russia’s aggression that threatens the world right now.”

The revelation ignited a wave of angry responses on GitHub community forums claiming that Miller’s actions threaten to undermine the very concept of open source development. “Is making a statement about Putin and Russia’s oligarchs by attacking what are likely average Russian/Belorussian (sic) people really worth taking a steaming dump on the integrity of an open source project and FOSS in general?” one user wrote.

“What if a Russian decided to do the same thing as RIAEvangelist did here? They could go one step further and claim it as “revenge” for an unprovoked attack on them. What if someone target Ukrainian IPs for something your government did,” another user added.

Tai echoed those concerns. “Snyk stands with Ukraine and we’ve proactively acted to support the Ukrainian people during the ongoing crisis with donations and free service to developers worldwide, as well as taking action to cease business in Russia and Belarus,” Tai wrote. “That said, intentional abuse such as this undermines the global open source community.” According to Ars Technica, the malicious code has since been removed, but Snyk’s report recommended that users discontinue using node-ipc altogether.