Traditionally, concerns over open-source code security have revolved around whether or not open-source code could contain vulnerabilities, backdoors, or hidden malicious code. In recent months, however, Trend Micro researchers have observed a growth in a particular trend: Open-source code is being subjected to modifications to its functionality to express political protest. These instances of so-called “protestware” occur in the form of code changes by certain open-source code maintainers or backers in what could only be surmised as politically motivated or protest-driven acts. While this activity is not new and has been seen in the past, the recent geopolitical situation has divided the open-source community: Some support the trend, while others prefer that the open-source ecosystem remain apolitical, as protestware could jeopardize the trustworthiness of open-source software as a whole.
This type of activity attracted significant attention after the maintainer of an important Node.js supply chain component, node-ipc, altered its code to have destructive behavior. This node-ipc incident happened in March and turned out to be far from being an isolated case. There have been other incidents in the open-source community tied to the ongoing conflicts in Ukraine, Israel, and Palestine, and other geopolitical issues. Users of open-source software therefore need to ensure that the whole supply chain of their open-source software stack is safe and has not been affected by code changes that are not related to the code components’ main functionality. In fact, this is a new concern that IT administrators have to worry about when securing their systems. Now, they also have to think about how politics might interfere with their digital supply chain.
Source: Trend Micro