This month, the developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War.
Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages. With over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI. [...] the malicious code, committed as early as March 7th by the dev, would read the system's external IP address and only delete data by overwriting files for users based in Russia and Belarus. The code present within 'node-ipc', specifically in file "ssl-geospec.js" contains base64-encoded strings and obfuscation tactics to mask its true purpose [...] Additionally, because 'node-ipc' versions 9.2.2, 11.0.0, and those greater than 11.0.0 bundle the peacenotwar module within themselves, affected users saw 'WITH-LOVE-FROM-AMERICA.txt' files popping up on their Desktop with "peace" messages [...] "At this point, a very clear abuse and a critical supply chain security incident will occur for any system on which this npm package will be called upon, if that matches a geo-location of either Russia or Belarus," [...] This marks the second major incident of protest by an open source developer this year, following January's 'colors' and 'fakers' self-sabotage incident, as first reported by BleepingComputer. In the case of 'colors', its developer Marak Squires drew mixed reactions from the open source community because his manner of protest involved breaking thousands of applications by introducing infinite loops within them. However, the move by RIAEvangelist, who maintains over 40 packages on npm, has drawn sharp criticism for going beyond just "peaceful protest" and actively deploying destructive payloads in a popular library without any warning to honest users. [...] Continua su https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ Non è nulla di nuovo naturalmente [1], ma pian piano gli informatici iniziano ad esercitare pubblicamente il potere politico che detengono. Purtroppo sono ancora in molti ad avere interiorizzato l'oppressione cui sono sottoposti, molti misurano il valore dell'open source solo nei termini dello sfruttamento di lavoro altamente qualificato e non pagato che garantisce al business e queste azioni politiche risultano per loro incomprensibili e dannose: ``` A GitHub user called it "a huge damage" to the credibility of the whole open source community. "This behavior is beyond f**** up. Sure, war is bad, but that doesn't make this behavior (e.g. deleting all files for Russia/Belarus users and creating strange file in desktop folder) justified. F*** you, go to hell. You've just successfully ruined the open-source community. You happy now @RIAEvangelist?" asked another. [...] ``` Le aziende però sono già da tempo sul piede di guerra [2] e anche le più piccole si lanciano in implicite minacce a chi osa mostrare che il re è nudo: ``` "Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest. How does that reflect on the maintainer’s future reputation and stake in the developer community?" asks Snyk's Tal. ``` Ma la buona notizia è che, pian piano, la coscienza di classe sta arrivando anche fra gli informatici. [3] Giacomo [1] http://www.tesio.it/2020/10/02/la_lotta_informatica_per_la_democrazia_cibernetica.html#complessita-e-potere [2] http://www.tesio.it/2022/02/12/I_Dati_della_Discordia.odt [2] https://nitter.net/AlphabetWorkers/status/1504194542911713284 _______________________________________________ nexa mailing list [email protected] https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
