Peacenotwar

Last updated

peacenotwar
Type Protestware
SubtypeJavaScript Payload
Authors Brandon Nozaki Miller
Technical details
Written in JavaScript

peacenotwar is a piece of malware, which has been characterized as protestware, [1] created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc, a common JavaScript dependency.

Contents

Background

Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the node-ipc package on the npm package registry, released two updates allegedly containing malicious code targeting systems in Russia and Belarus (CVE - 2022-23812). This code recursively overwrites all files on the user's system drive with heart emojis. [2] [3] [4] [5] [6] [7] [8] [9] [ excessive citations ] A week later, Miller added the peacenotwar module as a dependency to node-ipc. [10] The function of peacenotwar was to create a text file titled WITH-LOVE-FROM-AMERICA.txt on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in a Denial of Service (DoS) to any server using it. [11] [12]

Impact

Because node-ipc was a common software dependency, it compromised several other projects which relied upon it. [13]

Among the affected projects was Vue.js, which required node-ipc as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release. [14] [15]

See also

References

  1. "Open source 'protestware' harms Open Source - Voices of Open Source". 24 March 2022. Archived from the original on 11 January 2024. Retrieved 9 June 2024.
  2. Dan Goodin (18 March 2022). "Sabotage: Code added to popular NPM package wiped files in Russia and Belarus". Ars Technica . Archived from the original on 31 December 2023. Retrieved 9 June 2024.
  3. "Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers". Vice News . 18 March 2022. Archived from the original on 18 March 2022. Retrieved 18 March 2022.
  4. Lucian Constantin (19 March 2022). "Developer sabotages own npm module prompting open-source supply chain security questions". Computer Security Online. Retrieved 16 March 2024.
  5. Adam Bannister (21 March 2022). "NPM maintainer targets Russian users with data-wiping 'protestware'". The Daily Swig: Cybersecurity News and Views. Archived from the original on 16 March 2024. Retrieved 16 March 2024.
  6. "Embedded Malicious Code in node-ipc". GitHub. Retrieved 16 March 2024.
  7. "CVE-2022-23812 Detail". National Vulnerability Database. Retrieved 16 March 2024.
  8. Ax Sharma (17 March 2022). "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. Archived from the original on 17 March 2022. Retrieved 16 March 2024.
  9. "CVE-2022-23812". GitHub. Archived from the original on 16 March 2024. Retrieved 16 March 2024.
  10. Proven, Liam (18 March 2022). "JavaScript library updated to wipe files from Russian computers". The Register . Situation Publishing. Archived from the original on 18 March 2022. Retrieved 18 March 2022.
  11. "Alert: Peacenotwar module sabotages NPM developers in the node-ipc package to protest the invasion of Ukraine | Snyk". 16 March 2022. Archived from the original on 9 April 2022. Retrieved 18 March 2022.
  12. "Open source maintainer pulls the plug on NPM packages colors and faker, now what? | Snyk". 9 January 2022.
  13. "Node-ipc-dependencies-list". GitHub . 19 March 2022. Archived from the original on 16 April 2022. Retrieved 18 March 2022.
  14. "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer . Archived from the original on 17 March 2022. Retrieved 17 March 2022.
  15. Tal, Liran (16 March 2022). "Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine". Snyk. Archived from the original on 9 April 2022. Retrieved 18 March 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.