Peacenotwar Explained
peacenotwar is a piece of malware, which has been characterized as protestware,[1] created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc
, a common JavaScript dependency.
Background
Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the node-ipc
package on the npm package registry, released two updates containing malicious code targeting systems in Russia and Belarus . This code recursively overwrites all files on the user's system drive with heart emojis.[2] [3] [4] [5] [6] [7] [8] [9] A week later, Miller added the peacenotwar module as a dependency to node-ipc
.[10] The function of peacenotwar was to create a text file titled WITH-LOVE-FROM-AMERICA.txt
on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in a Denial of Service (DoS) to any server using it.[11] [12]
Impact
Because node-ipc
was a common software dependency, it compromised several other projects which relied upon it.[13]
Among the affected projects was Vue.js, which required node-ipc
as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.[14] [15]
See also
Notes and References
- Web site: Open source 'protestware' harms Open Source - Voices of Open Source . 24 March 2022 . 9 June 2024 . 11 January 2024 . https://web.archive.org/web/20240111164735/https://blog.opensource.org/open-source-protestware-harms-open-source/ . live .
- Web site: Sabotage: Code added to popular NPM package wiped files in Russia and Belarus. March 18, 2022. Dan Goodin. Ars Technica. 9 June 2024. 31 December 2023. https://web.archive.org/web/20231231215346/https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/. live.
- Web site: Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers . 2022-03-18 . . 18 March 2022 . en . 18 March 2022 . https://web.archive.org/web/20220318155800/https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers . live .
- Web site: Developer sabotages own npm module prompting open-source supply chain security questions . Lucian Constantin. Mar 19, 2022. Computer Security Online . 16 March 2024.
- Web site: NPM maintainer targets Russian users with data-wiping ‘protestware’ . Adam Bannister . 21 March 2022 . The Daily Swig: Cybersecurity News and Views . 16 March 2024 . 16 March 2024 . https://web.archive.org/web/20240316204225/https://portswigger.net/daily-swig/npm-maintainer-targets-russian-users-with-data-wiping-protestware . live .
- Web site: Embedded Malicious Code in node-ipc . GitHub . 16 March 2024.
- Web site: CVE-2022-23812 Detail . National Vulnerability Database . 16 March 2024.
- Web site: BIG sabotage: Famous npm package deletes files to protest Ukraine war . Bleeping Computer . Ax Sharma . March 17, 2022 . 16 March 2024 . 17 March 2022 . https://web.archive.org/web/20220317095413/https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ . live .
- Web site: CVE-2022-23812 . GitHub . 16 March 2024 . 16 March 2024 . https://web.archive.org/web/20240316204225/https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c . live .
- Web site: Proven . Liam . JavaScript library updated to wipe files from Russian computers . . Situation Publishing . 18 March 2022 . https://web.archive.org/web/20220318130958/https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ . 18 March 2022 . 18 March 2022 . live.
- Web site: Alert: Peacenotwar module sabotages NPM developers in the node-ipc package to protest the invasion of Ukraine | Snyk . 16 March 2022 . 18 March 2022 . 9 April 2022 . https://web.archive.org/web/20220409122257/https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ . live .
- Web site: Open source maintainer pulls the plug on NPM packages colors and faker, now what? | Snyk . 9 January 2022 .
- Web site: Node-ipc-dependencies-list. GitHub. 19 March 2022. 18 March 2022. 16 April 2022. https://web.archive.org/web/20220416164135/https://github.com/zlw9991/node-ipc-dependencies-list. live.
- Web site: BIG sabotage: Famous npm package deletes files to protest Ukraine war. 17 March 2022. Bleeping Computer. 17 March 2022. https://web.archive.org/web/20220317095413/https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/. live.
- Web site: Tal. Liran. Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine. Snyk. 16 March 2022. 18 March 2022. 9 April 2022. https://web.archive.org/web/20220409122257/https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/. live.