IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source dev attacked for spreading data-wiping 'protestware'

Developer denies wiping users' drives in spite of detailed code analysis

A red warning sign on a screen with the word malware displayed under an exclamation mark

A developer has been fighting a public backlash after being accused of trying to indiscriminately spread malware to Russian IPs through a popular open source package.

The developer, Brandon Nozaki-Miller, has denied allegations that his code wiped the hard drives of users in Russia and Belarus, in spite of a detailed code analysis online by third-party experts.

Miller maintains 'node-ipc', a legitimate interprocess communication module for Linux, Mac, and Windows systems. According to GitHub, almost 761,000 people use the package.

Following an analysis of the code on March 7 of this year, software security company Snyk concluded node-ipc had been updated with a malicious package, adding that the software was targeting any user with an IP address from Russia or Belarus, overwriting their files with a heart emoji in the process.

Following the update, users began reporting that the code was wiping their systems. One school student claimed that node-ipc had erased their hard drive after they tried to use it for a school project, and another unconfirmed report from someone claiming to work for an American NGO in Belarus said that the code had wiped thousands of messages documenting human rights abuses from servers located there.

Snyk said that ipc-node was properly maintained long before this incident, but that the malicious code was introduced in ipc-node from version 10.1.1 until 10.1.3. It assigned the vulnerability an ID - CVE-2022-23812 with a 9.8 (critical) CVSS score.

The ipc-node tool was used in packages including Vue.js's command line tool, Snyk said.

The company said that the vulnerable versions of the ipc-node package were then removed from the npm registry on March 8. Nevertheless, the code updates had affected some users, it added.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

Nozaki-Miller is said to have then subsequently added another package called 'peacenotwar' as a dependency for ipc-node on the same day. This package purportedly displayed a peaceful message on peoples' desktops protesting the war in Ukraine, something  Miller has called 'protestware'. This was an effort to try and hide the previous attempt to spread malware, according to Snyk.

The message, contained in 'WITH-LOVE-FROM-AMERICA.txt', said "War is not the answer" and asked people to forgive soldiers fighting the war under orders from their government. One version of the code also created files on users' systems documenting the current war situation in Ukraine.

Open source users mounted a significant backlash against Miller, leaving a string of issues on the project's GitHub page protesting his actions. The issues have now been deleted.

Miller told IT Pro that he had been swatted, which is an attack where someone finds a victim's address and alerts police to a fake emergency there. He also denied that the code was malicious.

"As far as I am aware, no actual computers were harmed unless by people trying to make it look like my code did something it did not," he said. "The only actual thing which happened was as documented and licensed in the source code files, a file was added to the desktop with a message of peace, morality, and trying to remember forgiveness when this is all over."

Snyk's detailed analysis rejects this claim, with the company accusing Nozaki Miller of trying obfuscate an attempt to spread malware. "This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms," it said.

"How does that reflect on the maintainer’s future reputation and stake in the developer community?" it asked. "Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?"

The company published a script for those using npm as their package manager. It will only allow npm to install benign versions of the software.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


Best Linux distros 2022
operating systems

Best Linux distros 2022

25 Jul 2022
What is open source?

What is open source?

30 Jun 2022
Best Linux file managers 2022: Customise your workflows

Best Linux file managers 2022: Customise your workflows

17 May 2022
Linux-based multi-cloud environments facing increased ransomware attacks

Linux-based multi-cloud environments facing increased ransomware attacks

9 Feb 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022