Open source dev attacked for spreading data-wiping 'protestware'

A red warning sign on a screen with the word malware displayed under an exclamation mark
(Image credit: Getty Images)

A developer has been fighting a public backlash after being accused of trying to indiscriminately spread malware to Russian IPs through a popular open source package.

The developer, Brandon Nozaki-Miller, has denied allegations that his code wiped the hard drives of users in Russia and Belarus, in spite of a detailed code analysis online by third-party experts.

Miller maintains 'node-ipc', a legitimate interprocess communication module for Linux, Mac, and Windows systems. According to GitHub, almost 761,000 people use the package.

Following an analysis of the code on March 7 of this year, software security company Snyk concluded node-ipc had been updated with a malicious package, adding that the software was targeting any user with an IP address from Russia or Belarus, overwriting their files with a heart emoji in the process.

Following the update, users began reporting that the code was wiping their systems. One school student claimed that node-ipc had erased their hard drive after they tried to use it for a school project, and another unconfirmed report from someone claiming to work for an American NGO in Belarus said that the code had wiped thousands of messages documenting human rights abuses from servers located there.

Snyk said that ipc-node was properly maintained long before this incident, but that the malicious code was introduced in ipc-node from version 10.1.1 until 10.1.3. It assigned the vulnerability an ID - CVE-2022-23812 with a 9.8 (critical) CVSS score.

The ipc-node tool was used in packages including Vue.js's command line tool, Snyk said.

The company said that the vulnerable versions of the ipc-node package were then removed from the npm registry on March 8. Nevertheless, the code updates had affected some users, it added.


The secure cloud configuration imperative

The central role of cloud security posture management


Nozaki-Miller is said to have then subsequently added another package called 'peacenotwar' as a dependency for ipc-node on the same day. This package purportedly displayed a peaceful message on peoples' desktops protesting the war in Ukraine, something Miller has called 'protestware'. This was an effort to try and hide the previous attempt to spread malware, according to Snyk.

The message, contained in 'WITH-LOVE-FROM-AMERICA.txt', said "War is not the answer" and asked people to forgive soldiers fighting the war under orders from their government. One version of the code also created files on users' systems documenting the current war situation in Ukraine.

Open source users mounted a significant backlash against Miller, leaving a string of issues on the project's GitHub page protesting his actions. The issues have now been deleted.

Miller told IT Pro that he had been swatted, which is an attack where someone finds a victim's address and alerts police to a fake emergency there. He also denied that the code was malicious.

"As far as I am aware, no actual computers were harmed unless by people trying to make it look like my code did something it did not," he said. "The only actual thing which happened was as documented and licensed in the source code files, a file was added to the desktop with a message of peace, morality, and trying to remember forgiveness when this is all over."

Snyk's detailed analysis rejects this claim, with the company accusing Nozaki Miller of trying obfuscate an attempt to spread malware. "This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms," it said.

"How does that reflect on the maintainer’s future reputation and stake in the developer community?" it asked. "Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?"

The company published a script for those using npm as their package manager. It will only allow npm to install benign versions of the software.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.