Does Protestware undermine the trustworthiness of OSS ecosystems?
Two popular packages, “styled-components” and “es5-ext”, with millions of weekly downloads and thousands of dependent projects, released new Protestware versions. The new versions verify that the infected machine belongs to a Russian user and if so, alter their behavior in protest against Russian aggression in Ukraine.
A few weeks ago, the NPM user account riaevangelist released several new versions of its popular package node-ipc, which included wiper functionally protesting the Russia-Ukraine war. This incident followed the “colors” and “faker” incident and together they mark what we and many other foresaw to be a new trend in open-source software: “Protestware”, software that includes functionality which aims to protest or raise an issue. This trend continues with the new versions of the two packages described below.
The Styled-components Package
The popular NPM package styled-components has over 16,500 dependent projects and about 4 million weekly downloads. It was created to enhance the CSS and styling development process for React-based projects and focuses on creating a better development experience.
On March 24, the NPM user account probablyup released two consecutive versions (5.3.4, and 5.3.5). The new addition is an update to the package.json file with a postinstall script that automatically runs when the package is being installed.
The postinstall.js File
A deeper look into the new file “postinstall.js” reveals the author had added new Protestware functionality.
The code reads the operating system’s locale setting and checks whether it is matching a Russian one such as “ru_RU”. If the condition is satisfied, the program prints a hard-coded message to the installation terminal.
The content of the message, printed in both English and Russian (‘via google translate’ as the author indicates) and said to be on behalf of the “styled-components core team,” details “atrocities done by Russia in Ukraine.” The message goes on and calls for Putin’s removal from power:
“If you are in a position to do something, have connections, or can spread the word, this is the time to do so. Don't let Vladimir Putin permanently stain the souls of all Russian people with these atrocities. He must be removed from power immediately.”
A screenshot of the message printed when installing the Protestware package
As seen before in this Checkmarx research blog post, mistakes sometimes happen. The NPM user account probablyup that published version 5.3.4 forgot to include in his new release the postinstall.js file. This disrupted the package’s installation process while causing errors for many developers and build systems trying to use it.
This quickly resulted in a GitHub issue "cannot find module node_modules/styled-components/postinstall.js #3706" created by a user who bumped into this installation error, seeking a solution.
To resolve this problem, NPM user account probablyup (which seems to be the same user that responded to the Issue created on the project’s GitHub page), has quickly released a new fixed version, 5.3.5, which now includes the missing “postinstall.js” file, and can be installed successfully.
More Packages by This User
The NPM user account probablyup has published 25 NPM packages with a total of 14 million weekly downloads. The following table details recent statistics of the top packages:
|Package Name||Number of Weekly Downloads|
The es5-ext Package
Similarly, another popular NPM package es5-ext with nearly 13 million weekly downloads, was updated a few weeks ago to include "Call for peace" message that is printed when the package is installed on machines configured to Russian time zones.
This protest massage mainly urges Russian users to consume their information about the war from reliable sources and includes link for instructions to use Tor browser to circumvent Russian censorship.
This change was first introduced to the es5-ext package in version 0.10.54 on March 7 and went through several iterations before stabilizing on the current version 0.10.59 on March 17.
The changes in this package sparked multiple discussions in the project’s GitHub page, including reports on the installation process breaking due to the new changes in the early iteration of the Protestware functionality.
The continuing of this trend raises again some debates about the legitimacy of these actions and the damage to the trust developers put in these specific packages, their developers, and the ecosystem as a whole.
Another question that arises in relation to these incidents is regarding our security reaction to them. Should we opt for alternative packages or just lock our project to the most recent clean version? What about other packages by the same user? Should we avoid using them as well?
This obviously will be influenced by the nature of the damage the Protestware has done. Previous Protestware has wiped the machines of targeted users, while styled-components and es5-ext only prints protest massages.
Although the “colors” incident marked its beginning and protested other issue, the Protestware trend certainly gained some traction due to the Russian attack on Ukraine. It will be interesting to see what will happened to it once the fighting stops: Will the trend fade as well, or will we continue to see developers pushing their agenda through their popular open source packages?