How Shady Code Commits Compromise the Security of the Open-Source Ecosystem
Traditionally, concerns over open-source code security have revolved around whether or not open-source code could contain vulnerabilities, backdoors, or hidden malicious code. In recent months, however, we have observed a growth in a particular trend: Open-source code is being subjected to modifications to its functionality to express political protest. These instances of so-called “protestware” occur in the form of code changes by certain open-source code maintainers or backers in what could only be surmised as politically motivated or protest-driven acts. While this activity is not new and has been seen in the past, the recent geopolitical situation has divided the open-source community: Some support the trend, while others prefer that the open-source ecosystem remain apolitical, as protestware could jeopardize the trustworthiness of open-source software as a whole.
This type of activity attracted significant attention after the maintainer of an important Node.js supply chain component, node-ipc, altered its code to have destructive behavior. This node-ipc incident happened in March and turned out to be far from being an isolated case. There have been other incidents in the open-source community tied to the ongoing conflicts in Ukraine, Israel, and Palestine, and other geopolitical issues. Users of open-source software therefore need to ensure that the whole supply chain of their open-source software stack is safe and has not been affected by code changes that are not related to the code components’ main functionality. In fact, this is a new concern that IT administrators have to worry about when securing their systems. Now, they also have to think about how politics might interfere with their digital supply chain.
In this blog post, we discuss several open-source code security incidents featuring code commits that introduced political messages, malicious code modifications, and destructive actions. We also provide an analysis of what these incidents could mean for the IT industry as a whole and for the open-source community in particular.
Users of affected node-ipc versions had files deleted, replaced with heart emojis
The most notable of the recent open-source code cases was the node-ipc incident. Node-ipc is a package that enables local and remote inter-process communication (IPC) in Node.js. It supports Linux, macOS, and Windows, and is a key component of node packet manager (npm), which is a default package manager for Node.js. Consequently, node-ipc is deployed and used in many servers around the world, even if the system administrators of these servers did not explicitly install it; the node-ipc package could have been installed as a dependency of other packages.
Between March 7 and 8, 2022, the code for node-ipc was modified to include destructive commands if the code detected itself to be running in certain geographical regions. Simply put, it would overwrite any file it could access with a heart emoji if it passed the geolocation check. Two specific versions, 10.1.1 and 10.1.2, included this code modification. These altered versions were online for about five hours, until they were replaced by version 10.1.3, a version without the destructive code.
Further, another modified version of node-ipc, version 11.0.0, was uploaded within another four hours. This added the use of the peacenotwar module, which dropped a text file on a user’s desktop. This functionality was declared in the new version’s README file, which, for obvious reasons, had not been done with the earlier versions. This version was used by more than 300 packages and was downloaded more than one million times during the first three weeks of March.
On March 15, the stable version of node-ipc was updated to 9.2.2, and it was here that the impact became more significant because many projects relied on the stable version of node-ipc. This version also ran the peacenotwar module whenever node-ipc was called as a dependency, making this added behavior much more visible. Among the most prominent affected applications were the Unity 3D gaming engine and the Vue.js JavaScript framework, which had been used on many websites, including popular ones such as Behance and 9Gag. Websites using the Vue.js framework had either been put at risk of having their content deleted or, worse, already had their content deleted.
A GitHub user’s investigation of the node-ipc code showed that the malicious code added to the package would delete files based on a user’s IP address geolocation check via an online API.