An open source package project manager has raised a ruckus in the FOSS community after taking it upon themselves to “educate” users in Russia and Belarus regarding the invasion of Ukraine, with an attempt at “hacktivism” that appears to have gone horribly awry.
The responsible party says that the update was supposed to place a simple anti-war message on the desktops of these users, but some soon found that the package was overwriting their files with a heart emoji. Investigation by third parties reveals that this overwrite feature appears to be intentional, and the offending project manager appears to have fled for the hills.
Hacktivism hits random users in Russia and Belarus as project maintainer aggressively protests Ukraine war
Hacktivism is far from uncommon, and there are not many outside of Russia or Belarus who would defend those countries in their choice to invade Ukraine. The distribution of malware to random targets through a trusted piece of software crosses a new line, however, and one that that open source community is clearly not comfortable with.
Ukraine has openly called for hacktivism in support of its war effort from the outside world, but prior efforts (most notably those of Anonymous) have focused on Russian government assets and communications channels. The malware passed through this open source package appeared to target anyone with an IP address in those two countries.
The open source project was no small or obscure piece of software, either. Node-IPC is downloaded and used frequently around the world, breaking over one million downloads per week. The package is depended on by at least hundreds of other open source projects, if not thousands. The attacker not only appeared to intentionally wipe files, but used base64 encoding to make it tougher for others contributing to the project to recognize what they were doing.
The incident could be seen as hacktivism “protestware” announcing itself as a new and serious security threat to be considered when making use of open source components, and one that is not easily detected or rebuffed save for abandoning open source entirely.
New questions about the safety of open source
The fact that this happened to such a popular package should have all types of organizations re-evaluating how much trust they can put in open source software, and how defenses and response plans should be altered to deal with the potential threat.