[remark] The impact of hacktivism / protestware in open-source

by Ciprian Dorin Craciun (https://volution.ro/ciprian) on 

// permanent-link // Lobsters // HackerNews // index // RSS





I wanted to document (mainly for myself) the emerging trend of "hacktivism" in the world of open-source, its impact on fellow developers, and the response of the broader community.

I'll keep updating this document as the events unfold.

(2016) left-pad

It all started with the NPM library left-pad in 2016, when its developer decided to remove his libraries from NPM in protest to a company that sent its lawyers to pressure the developer in renaming one of his libraries, and as a consequence NPM unilaterally enforced the renaming without the developer's consent.

Because it was a widely used dependency in many other libraries, it had a major impact across the development world by having broken builds and installs.

Everything was resolved, again unilaterally, by NPM when they've republished the library, again without the developer's consent, granted due to the fact that the library was under an open-source license.

(2022) colors and faker

Then in early 2022 it followed with two other NPM libraries colors and faker, when their developer wanted to protest against large corporations that used his (and others) open-source code and never contributing back (neither with code nor with financial support).

Again, being two popular libraries, it had a major impact in the development world, but this time it didn't manifest in broken builds, instead the software entered an infinite loop, and displayed random characters on the console.

It was the first well-known instance when a developer adds malicious code. However, the effects were benign this time...

It was again solved by downgrading the NPM libraries to previous working versions.

(2022) node-ipc

Not much later, still in 2022, the world caught on fire when Russia decided to invade Ukraine, and developers decided to join the war efforts how they knew best -- some created sites to help refugees, some engaged in DDoS attacks against russian sites, while others decided to weaponize their open-source code targeting russians and belarusians developers and users.

One such "protestware" (as its category was coined) is another NPM library node-ipc, whose developer decided it was a good idea to introduce some obfuscated code that when run it tried to geolocate the host IP, and if it found it to be from Russia or Belarus, it started shredding any file it could have access to...

Thankfully, the affected versions were quickly removed from the NPM registry, however there are accounts of actual data being lost.

Obviously, this has gotten a "little" more attention than the previous cases, including responses from EFF and OSI.

Observations