From fighting attacks And hacking legitimate software on open source registries like npm wasn’t challenging enough, app makers are increasingly facing the consequences of software suicide. A developer can change their mind at will and do whatever they want with open source code, which often comes with no guarantees “as is” anyway. Or, as seen in a growing trend this year, developers deliberately deface their own software libraries as a means of resistance – turning software into “protestware”.
The most widely used developer in July Atomic writes Python librarian Markus Unterwaditzer temporarily removed the code from the popular PyPI code registry after he said the site would require two-factor authentication for maintainers of “critical projects” — projects that fall within 1% of all downloads on the registry. Unterwaditzer’s Atomic writes The project met the criteria and the bill required two-factor authentication, something he described in the post as “an annoying and entitled move to guarantee SOC2 compliance for a few companies (at the expense of my free time). )” based on the code.
Some have compared this to the LeftPad incident of 2016, which broke a large part of the internet shortly after the project’s developer protested and deleted widely used code. Developer Azer Kokulu has encountered a trademark dispute with the messaging app Kik because his npm package is named “Kik”. After npm broke up with Kik in its argument, Kokulu deleted all of its code – 273 modules, including the popular left-pad Library – from the npm repository. He was fully capable of doing it, but it immediately created problems. At that time, very popular left-pad The package has logged over 15 million downloads, and today the library continues to be downloaded millions of times every week. Likewise, in March 2016, developers around the world were confused — and shocked — when their projects went awry. left-pad The entity on which their applications relied could no longer be found.
In 2010, what seemed to be an isolated protest years ago In 2022, developers have been on the offensive again, defacing their own libraries – sometimes to protest against large corporations, but also to protest Russia’s recent invasion of Ukraine.
The recent rise of Protestantism
Thousands of applications are based on the most used npm projects in Week 2022. Colors And Imitation It hacked and started printing gibberish text on users’ screens. There was no malicious actor hacking and modifying these legitimate libraries. The project’s developer, Mark Squis, deliberately sabotaged his own work to send a message of protest to large corporations.
The Squires protest was sparked by the Log4j project hosts, mostly open source volunteers, patching a critical vulnerability in the Log4Shell security flaw over the December holidays. Squires has previously expressed frustration at Fortune 500 companies releasing its open source code for free without funding or supporting their maintenance. The Log4Shell vulnerability only reinforced that feeling—businesses everywhere were implementing Log4j and weren’t doing enough to support the unpaid volunteers who supported these critical projects in their free time on their applications.
Although the Squires’ opposition temporarily froze the projects based on it Colors The library, months later, followed a trend of protesting ware developers who had devoted hundreds of hours to protesting Russia’s war in Ukraine, sabotaging their own projects.
In March 2022, weeks after Russian troops crossed into Ukrainian territory, the popular npm project node-ipc – downloaded more than a million times per week – began cleaning the machines of suspected Russian and Belarusian developers. The project’s developer, Brandon Nozaki Miller, allegedly hacked the code to compromise the computers on which it was installed. Needless to say, the corrupted versions node-ipc – Now effectively malware – removed from the npm registry.
Since then, the theme of Protestantware has evolved into a more peaceful protest of developers. New versions of open source projects event-source-polyfill, es5-ext And Style-elements Simply display a message asking Russian-based users to take action on the war. Therefore, these versions remain on npm as they do not violate the registry policies.
Publishing Protestants may not be an easy decision for the developer either. Any and all versions of a compromised project will be subject to further scrutiny and may damage the community’s trust in the developer. Is there software that they author, past or future, that can be trusted again?
Evan JacobsOne of the main guards behind stylized bodies, He told TechCrunch that his project has a history of activism, “specifically our support [Black Lives Matter] Activities and advice to our users considering donations to the Equal Justice Initiative. He added: “I had heard that the Russian government had begun censoring Western news sites and realized that we had a unique opportunity to deliver a concise and informative message through a common channel: our npm package installations.”
A screenshot of the nestjs-pino project on npm that prominently features a photo of children waiting in a bomb shelter in Maripul, Ukraine. Image Credits: TechCrunch / Screenshot
Jacobs felt it was vital that the Russians received accurate information about the war, free from government interference. He improved Style-elementsIt had more than 15 million monthly downloads until April to show Russian-based users a bilingual message summarizing “the many atrocities being committed by the Russian military in Ukraine.”
“Has it had an impact? We’ll probably never know,” Jacobs said. That being said, I think it’s totally worth the opportunity to spread information and keep an eye on software people in Russia who might not otherwise see what’s going on.
Another developer, Marius Nowak, creator es5-ext Project, later updated versions of the library to direct users based in Russia and Belarus to authentic news sources, such as the BBC Tor service. Nuak told TechCrunch about the decision to revise the code because Russians “are not really sure what’s going on and are influenced by their propaganda media,” citing tight government control over Russian media. “This message only shows up if you install the software in Russia, of course it won’t show up in other parts of the world,” Nowak said.
Nowak’s use of the open source library for activism did not affect his credibility with the wider community, but he did receive some angry backlash at first.
Jacobs and Nowak aren’t just repurposing their open source code to counter the war. Software Supply Chain Security Startup Socket told TechCrunch. nestjs-pinoA popular npm project with over 100,000 weekly downloads has updated its main “readme” file to focus on the ongoing crisis in Ukraine. An installation script bundled with the package also prints a console message as soon as it is installed.
“You can’t believe what you can’t believe.”
Open source developers are finding new and creative ways to not only implement new features into their projects, but actively express their views on larger social issues by modifying their projects for a purpose. And, unlike proprietary code that must conform to the expectations of a paying customer, most open source licenses are very permissive—both to the user and to the developer—giving away their code with licenses that don’t guarantee anything the developer doesn’t deserve. Making Protestantware a gray area for defenders to do with their code and never do.
In fact, as a security researcher at Sonatype, I’ve seen how Protestantware has challenged us in the early stages and how we can automatically kill our own malware detection algorithms with projects like this one. Colors And Imitation. Traditionally, the system was designed to detect typographical malware uploaded to open source repositories, but such as malicious hacks or developers modifying their own libraries without warning require a deeper understanding of the intricacies of how protestantware works.
The theme also puts major open source repositories such as npm – on GitHub, a subsidiary of Microsoft – at a crossroads when it comes to addressing these edge issues.
Socket founder Feros Aboukadijeh told TechCrunch that repositories like GitHub are in dire straits. “On the one hand, they want to support activists’ freedom of expression and the ability to use a platform to support the causes they believe in. But on the other hand, GitHub users are responsible for verifying this malicious code. It’s not served from npm servers. It’s sometimes a balancing act,” Abukadije said.
A simple solution to ensure you only get verified versions of a component in your build is to pin your npm dependency versions. This way, even if future versions of the project are corrupted or hacked, your build continues to use the “plugged” version as opposed to fetching the new, infected one. But this may not always be an effective strategy for all ecosystems, like PyPI, where existing versions of a component can be republished – as we saw in the hack. ctx PyPI project.
“The conversation around protestware is really a conversation about the security of the software supply chain. You can’t trust what you can’t verify,” Dan Lorenc, CEO of ChainGuard, a startup specializing in software supply chain security, told TechCrunch.
Lorenc’s advice for preventing proteware is to practice good open source security hygiene and follow best practices that help developers develop proteware easily and early. “Knowing and understanding your dependencies, performing regular inspections and auditing of the open source code you’re using in your environment are a start.”
But Lorenz warns that the debate about protestantware could attract copycats, who contribute to the problem and distract defenders of open-source software from focusing on what’s most important to combat – preventing malicious actors. And unknowns remain with Protestant objects. Which issue is too small – or too big – for Protestantism?
While no one can practically say what an open source developer can do with their code – developers have always had it but are only now starting to use it.
Updated to correct Squires name.
