peacenotwar

peacenotwar
peacenotwar
Type	Malware
Subtype	JavaScript Payload
Authors	Brandon Nozaki Miller
Technical details
Written in	JavaScript

peacenotwar is a piece of malware/Protestware^[1] created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc, a common JavaScript dependency.

Background

Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the node-ipc package on the npm package registry, released two updates containing malicious code targeting systems in Russia and Belarus (CVE-2022-23812).^[2]^[3] A week later, Miller added the peacenotwar module as a dependency to node-ipc.^[4] The function of peacenotwar was to create a text file titled WITH-LOVE-FROM-AMERICA.txt on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (nmp colors package) that would result in a Denial of Service (DoS) to any server using it.^[5]^[6]

Impact

Because node-ipc was a common software dependency, it compromised several other projects which relied upon it.^[7]

Among the affected projects was Vue.js, which required node-ipc as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.^[8]^[9]

References

^ "Open source 'protestware' harms Open Source - Voices of Open Source". 24 March 2022.
^ Juha Saarinen (17 March 2022). "'Protestware' npm package dependency labelled supply-chain attack". IT News. nextmedia.
^ "Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers". Vice News. 18 March 2022. Retrieved 18 March 2022.
^ Proven, Liam (18 March 2022). "JavaScript library updated to wipe files from Russian computers". The Register. Situation Publishing. Archived from the original on 18 March 2022. Retrieved 18 March 2022.
^ "Alert: Peacenotwar module sabotages NPM developers in the node-ipc package to protest the invasion of Ukraine | Snyk". 16 March 2022.
^ "Open source maintainer pulls the plug on NPM packages colors and faker, now what? | Snyk". 9 January 2022.
^ "Node-ipc-dependencies-list". GitHub. 19 March 2022.
^ "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. Retrieved 17 March 2022.
^ Tal, Liran (16 March 2022). "Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine". Snyk.

[1] "Open source 'protestware' harms Open Source - Voices of Open Source". 24 March 2022.

[2] Juha Saarinen (17 March 2022). "'Protestware' npm package dependency labelled supply-chain attack". IT News. nextmedia.

[3] "Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers". Vice News. 18 March 2022. Retrieved 18 March 2022.

[register-4] Proven, Liam (18 March 2022). "JavaScript library updated to wipe files from Russian computers". The Register. Situation Publishing. Archived from the original on 18 March 2022. Retrieved 18 March 2022.

[5] "Alert: Peacenotwar module sabotages NPM developers in the node-ipc package to protest the invasion of Ukraine | Snyk". 16 March 2022.

[6] "Open source maintainer pulls the plug on NPM packages colors and faker, now what? | Snyk". 9 January 2022.

[7] "Node-ipc-dependencies-list". GitHub. 19 March 2022.

[8] "BIG sabotage: Famous npm package deletes files to protest Ukraine war". Bleeping Computer. Retrieved 17 March 2022.

[Snyk-9] Tal, Liran (16 March 2022). "Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine". Snyk.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Background

Impact

See also

References