An open source piece of software has been hacked and modified to delete data from PCs. What’s interesting about this scenario is that the saboteur was the code’s creator. In this case, the developer, a Russian, appears to have committed cyber-vandalism as a kind of retaliation against his own country as a result of the Ukraine conflict. The consequences, on the other hand, go beyond national lines.
The node-ipc package, which is part of the npm java package management for the JavaScript programming language, appears to have been purposefully damaged by the open source software package maintainer.
The example shows the dangers that come with various types of Free Open Source Software, and why organisations should be cautious about the software they use. Sally Vincent, Senior Threat Research Engineer at LogRhythm, is investigating this odd instance for Digital Journal.
There are certain lessons to be learned from this situation, according to Vincent: “The inclusion of “protestware” in the open-source node-ipc module serves as reminder to all organizations that use of open-source software comes with security risks.”
The following factors, according to Vincent, are constantly in play:
– Organizations should have open-source software governance policies in place, as well as monitoring policies for updates from open-source repositories.
– Developers should be aware of the security concerns associated with incorporating open-source repositories into their work.
– Any project that relies on open-source repositories should always double-check its source code to ensure dangerous code isn’t hidden therein.
Vincent warns that the potential for repeating this event is pretty simple, noting: “This incident shows how easily malicious code can be introduced to an open-source project.” This is irrespective as to the motivations for doing so, as Vincent states: “It’s notable for the fact that the person who introduced it claims that it is part of a peaceful protest.” She adds: “Regardless of intent, the code is a potentially very harmful. Any projects that use node-ipc should be immediately checked to make sure they not on a malicious source code thread.”
