Not being from Russia or Belarus this is not really a direct concern for me but the principal of infected core routines is:
3 Likes
I think supply chain type attacks are inevitable when installing packages from external sources, ie you can easily open yourself up to all types of mischief if you are not vigilant. Not many take any time to read through the source, nor do many understand it, yet alone comprehend the risks involved. But none the less they install blindly. Has become a very common attack vector for many groups. There needs to be some form of auditing applied to NPM assets (much the same as tokens/coins in Crypto market places), in my opinion. Until then it is up to the Developer to understand the risks.
Very interesting article though @Hyperbytes, thanks for sharing!
1 Like
We do not use this package, but this is indeed a very bad development, damaging the name of open source very badly.
1 Like
This is WHY all the nice things distributed on the internet some jerks will inevitably destroy.
NPM, for instance, began in Trust. Assumed that the Developer Community was worthy of it & given Carte Blanche passes to make life easier for 99.7% of us.
Soon, it was realized that 99.7 % can make honest mistakes in updating repositories. Steps taken to help roll-back minor and serious global problems.
But, that .3%, for criminal or political or anarchist impulses, have started a tipping point -- a slide downhill into an abyss of double-double-triple-quadruple "security" cleansing,
That's easier said than done. Node-ipc is present in many programs. This nodejs module is used for local and remote InterProcess Communication (IPC) on Linux, Mac, and Windows systems. It's also used in the very popular vue-cli, a Javascript framework for building web-based user interfaces. From there, this malware wrecked a large number of systems.
Liran Tal, the Snyk researcher who uncovered the problem said, "Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer's future reputation and stake in the developer community?" Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?"
But all that said, this "protestware" sets a dangerous precedent. As one programmer on GitHub wrote, "What's going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open-source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open-source software -- all free and open-source software -- within their companies. Or at least all of it which is community maintained. This will have no positive effect for Ukrainians, you idiot, and will only hurt FOSS [Free and open-source software] adoption." Exactly so.
In the meantime, in open-source's usual fixing its own messes ways, another developer Tyler S. Resch, MidSpike, has started an effort to build a safe node-ipc fork on GitHub.
1 Like