Corrupted open-source software enters the Russian battlefield

It started as an innocent protest. Npm, JavaScript’s package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little except add a protest message against Russia’s invasion of Ukraine. But then, it took a darker turn: It began destroying computers’ file systems.

To be exact, Miller added code that would delete the file system of any computer with a Russian or Belorussian IP address. Then, its maintainer added the module as a dependency to the extremely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to a system destroyer.

The code has undergone several changes since it first appeared, but it must be regarded as highly dangerous. Underlining its potential for damage, Miller encoded his code changes in base-64 to make it harder to spot the problem by simply reading the code.

Read more…
Source: ZDNet