DecryptedTech

Wednesday06 July 2022

Open Source Takes Another Hit as 3rd Protestware Shows up in NPM Repository


Reading time is around minutes.

The Open Source community has been one that many leverage to help build their applications. It has become a great place to find applications packages that make building out a larger application or eco systems less time consuming. We see this in just about every development space from large to small. Having helpful sources of working code can speed up the development lifecycle and allow for greater interoperability as many applications use the same dependencies and core functions. The open source community is a great resource and typically is one that you can trust to pull code from.

However, there is and has always been a flaw in the system. It is just one that has been ignored due to the usefulness of it. The flaw is simple, the applications, code, etc. all of them are still controlled by the developers that maintain them. If a developer has their account compromised attackers can inject malware into the very applications that are dependencies for a huge part of out software ecosystem. Likewise, what happens if a developer decides to pull their code (as has happened before) or worse, to inject malicious and destructive code into their popular applications?

Developers of popular and useful applications have pulled their work from repositories like NPM before and the impact was significant. There have also been cases of developer accounts being compromised which resulted in their applications becoming malware delivery systems. These two are in combination with the more common typo-squatting attacks where malicious developers post applications that are close to the name of the one you are looking for. They hope you make the mistake while looking for what you want and end up with their malicious one. This is all par for the course with many application markets and repo. The one that we have not seen before 2022 is when the legitimate developer makes the decision to inject malicious and destructive content into their app and publish it.

The possibility of this type of issue surfacing in open source applications (developers nerfing their own code) has always been there. It just has not really been acknowledge or expected. The open source community has been given an unusual amount of trust, and for the most part it has earned it. Now that people are becoming more comfortable with expressing their social conscious to others (which is not necessarily a bad thing), it has spilled out into areas that most would have hopped could avoid it.

Sadly, the Russian invasion of Ukraine has created a massively polarizing landscape in an already highly polarized world. For many this event has and is the last straw, they need to do something. For developers that know their code is widely used (and loved) it was a chance to leverage that power for what they feel is good. In some cases, the protestware amounts to little more than information. A timer is injected to show the end user information about the invasion and urge them to action. In other cases, the effect was more impactful, including adding code that was intended to delete data from drives on systems that the developer wanted to target (in all these cases the developers have been very opposed to the invasion). The protest went from peaceful to destructive quickly and will impact the trust in the open source community moving forward.

The response to these events has been binary. Many feel the protests are justified given what we are seeing coming out of Ukraine. Others are not so happy either due to the targeting of the general Russian populace, or because of the potential impact to the open source community as a whole. It is about what you would expect. The problem is, what happens when a developer decides to do this based on something they feel strongly for, but you are against? Or when it is massively prejudicial against a country or ethnic group? This is going to happen at some point. It is not just going to stay focused on the invasion of Ukraine, it cannot as human nature has shown us in the past (repeatedly). The fact that “Pandora’s Box” has been opened in the open source world especially in a place like NPM is only going to push people away from its use. This is simply a sad fact of life and one that will not help the people that the protestware is intended to. Big development groups will just find away to limit open source use or stop it completely. Smaller shops and end users will be the ones hurt here and with little to no impact on the events they are intended to change.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.