Protestware is a controversial form of activism. Some people believe that it is a necessary evil to draw attention to important issues. Others believe that it is a harmful and unethical practice.
Cybersecurity researchers at ReversingLabs, a prominent software supply chain security provider, have discovered a new wave of Protestware involving npm packages hiding scripts that bring attention to the humanitarian crisis in two conflict-ridden regions- Ukraine and the Gaza Strip.
Reversing Labs’ cyber content lead and blog author, Peter Roberts explained that protestware is a unique kind of cyberactivism in which the actor utilizes the ‘open-source software ecosystem’ to record protests against social or political issues. They embed code into the software, which, when installed or used, triggers a message or other action that draws attention to the protestware developer’s cause.
“Application developers conceal political messages inside open source code, often designing it to display to the user after an application is installed or when it is executed,” the blog post read.
The same method has been used to call attention to the wars in Ukraine and Gaza. Protestware developers have created software that displays messages condemning the violence.
In the latest campaign, two different protestware samples were found by researchers. The first one used a popular Node.js package manager npm version, e2eakarev npm package, version 7.1.0, published in late October 2023, by an npm user, ‘~updater.downloader.’ It claims to be a ‘free Palestine protest package,’ and has been downloaded eight times so far.
ReversingLabs researcher Lucija Valentić discovered that after installation, this package triggers a postinstall script (index.js) that first checks the location where it is launched. If it is Israel, the package displays an English-language message in the terminal, urging the reader to raise awareness for the ‘Palestinian struggle,’ support the “Boycott, Divest, Sanction (BDS) movement,” and donate to humanitarian aid. The message bears the sign “The Anonymous Protestor.”
Another package, dubbed “@snyk/sweater-comb”, was discovered, version 2.1.1. This npm package was released in August 2023 by Snyk and included a common JavaScript library module called “es5-ext” (already used in many other applications, including Signal Messenger’s installation executable for Windows). The protestware feature was added to this package in early March 2022, as per Checkmarx’s report.
When installed, the module executes a postinstall script ‘_postinstall.js’ that first checks the host device’s geolocation. If it is Russia, a message in the Russian language is displayed urging for peace in Ukraine.
Tomislav Peričin, Chief Software Architect at ReversingLabs, expressed concern over the rising vulnerabilities and software supply chain attacks, stressing that political messages could escalate over time.
“The risks that developers and software consumers face have never been higher, including political messages. Having software perform random acts of political activism does little for the specific cause. But it does decrease the private sector’s already shaky trust in software.”
Tomislav Peričin
Referring to the worldwide condemnation of the Russian invasion of Ukraine, and the resulting sanctions imposed on Russia, the message encourages readers to download the Tor browser or visit a webpage to circumvent censorship.
Apart from displaying these messages, the packages performed no other actions. This indicates that these aren’t malicious per se.
Protestware may appear similar to ethical hacking, but it does highlight the persistent nature of risks associated with the open-source software ecosystem. Threat actors can easily manipulate users by exploiting popular applications in the name of protestware.