Open source sabotage sparks fears of backlash

People protesting the Russian invasion of Ukraine

When Russia launched its offensive on Ukraine, the reaction around the world was swift: Governments imposed sanctions, businesses cut ties, and citizens took to the streets to protest the war. Then, there was the unique response from developer Brandon Nozaki Miller.

Miller, who’s also known by his handle ‘RIAEvangelist’, is one of the key figures behind an open source package called Node-IPC, which is a piece of digital plumbing that’s widely used to handle network communications at a basic level. It’s incorporated into software ranging from JavaScript developer tool Vue.js to the Unity video game engine that powers thousands of games.

As a result, it was rather dramatic when Miller launched what was essentially a sabotaged update to the code – a move that he terms not malware, but 'protestware'.

Dubbed 'peacenotwar', there were two rogue updates to the Node-IPC package. The first checked whether the host computer was based in Russia or Belarus (which is supporting Putin’s invasion). If it was a match, the package would overwrite files with heart emojis.

Given the impact this could have on computers, it was quickly flagged as a vulnerability. A second, more benign version was released that would leave files intact, but which placed a “message of peace” in a text file on users’ desktops.

“This code serves as a non-destructive example of why controlling your node modules is important,” Miller wrote in the NPM repository where it was distributed. “It also serves as a non-violent protest against Russia's aggression that threatens the world right now.”

The full consequences of the ‘protest’ aren’t clear, though Russia’s largest bank, Sberbank, has since instructed its staff to not install further software updates to guard against such an attack. And since the vulnerability was published, a message purporting to be from an American NGO operating in Belarus has claimed that the vulnerability has wiped out files that contain information on human-rights abuses committed by the Belarussian regime.

Miller, when approached, asked not to be quoted directly and advised that would only speak on background. He did, however, post an explanation for his protest on GitHub. “War is not the answer, no matter how bad it is,” he wrote.

“Please stand up against this injustice and stand up against evil. Everything that evil people need to hurt people, you have to say; ‘What can I do? When one person is standing next to another and they are standing next to another, you soon have movement. Here's how little people can come together for more than one person. Do what you think is right, follow your own morals.”

Whether or not the protest was successful is perhaps in the eye of the beholder, and reaction appears to have been mixed, to say the least. “Thanks for all the free pizza, and thanks to all the police that showed up to SWAT me,” wrote Miller on his GitHub page, referring to the practice where people are targeted by fake calls to police claiming the victim is armed and dangerous, leading to armed response units being deployed. “They were really nice fellas.”


Identity: The digital trust accelerator

Building trust in governments and public sector organisations


The broader implications of the attack could also reach far beyond Miller’s front door. “It's actually the rest of the [open source] community that is getting concerned about this,” says Ross Brewer from cyber security firm Attack IQ. “If you've got contributors that are prepared to manipulate code, just on a whim because they want to say something political or whatever, then you start to [wonder] how many people have access and how many contributors are there? And what control do they have control over? And then what safety is in the system?”

He argues that a protest such as this could undermine the trust model that is implicit in open source, and that there’s a potential for significant backlash against those who launch such protests, harming their reputation in the community more broadly. He also fears such attacks could cause a backlash from the targeted regime.

“Once we get into these geopolitical situations, and you've got these have-a-go heroes that are hacking countries, there's going to be a response from that and it's the backlash that we've all got to deal with,” says Brewer. “We just become collateral damage in all of that.”