Login
Login

Peacenotwar

{{Short description|Malware}}

{{lowercase title}}

{{Use dmy dates|date=March 2022}}

{{infobox computer virus

| Common name = peacenotwar

| Type = Protestware

| Subtype = JavaScript Payload

| Author = Brandon Nozaki Miller

| Language = JavaScript

}}

peacenotwar is a piece of malware, which has been characterized as protestware,{{cite web | url=https://blog.opensource.org/open-source-protestware-harms-open-source/ | title=Open source 'protestware' harms Open Source - Voices of Open Source | date=24 March 2022 | access-date=9 June 2024 | archive-date=11 January 2024 | archive-url=https://web.archive.org/web/20240111164735/https://blog.opensource.org/open-source-protestware-harms-open-source/ | url-status=live }} created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for node-ipc, a common JavaScript dependency.

Background

Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the node-ipc package on the npm package registry, released two updates allegedly containing malicious code targeting systems in Russia and Belarus ({{CVE|2022-23812}}). This code recursively overwrites all files on the user's system drive with heart emojis.{{cite web|url=https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/|title=Sabotage: Code added to popular NPM package wiped files in Russia and Belarus|date=March 18, 2022|author=Dan Goodin|website=Ars Technica|access-date=9 June 2024|archive-date=31 December 2023|archive-url=https://web.archive.org/web/20231231215346/https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/|url-status=live}}{{Cite web |title=Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers |url=https://www.vice.com/en/article/open-source-sabotage-node-ipc-wipe-russia-belraus-computers/ |access-date=2022-03-18 |website=Vice News |date=18 March 2022 |language=en |archive-date=18 March 2022 |archive-url=https://web.archive.org/web/20220318155800/https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers |url-status=live }}{{cite web |title=Developer sabotages own npm module prompting open-source supply chain security questions |author=Lucian Constantin|date=Mar 19, 2022|url=https://www.csoonline.com/article/572327/developer-sabotages-own-npm-module-prompting-open-source-supply-chain-security-questions.html|website=Computer Security Online |access-date=16 March 2024}}{{cite web |title=NPM maintainer targets Russian users with data-wiping 'protestware' |url=https://portswigger.net/daily-swig/npm-maintainer-targets-russian-users-with-data-wiping-protestware |author=Adam Bannister |date=21 March 2022 |website=The Daily Swig: Cybersecurity News and Views |access-date=16 March 2024 |archive-date=16 March 2024 |archive-url=https://web.archive.org/web/20240316204225/https://portswigger.net/daily-swig/npm-maintainer-targets-russian-users-with-data-wiping-protestware |url-status=live }}{{cite web |title=Embedded Malicious Code in node-ipc |url=https://github.com/advisories/GHSA-97m3-w2cp-4xx6 |website=GitHub |access-date=16 March 2024}}{{cite web |title=CVE-2022-23812 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2022-23812 |website=National Vulnerability Database |access-date=16 March 2024}}{{cite web |title=BIG sabotage: Famous npm package deletes files to protest Ukraine war |url=https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ |website=Bleeping Computer |author=Ax Sharma |date=March 17, 2022 |access-date=16 March 2024 |archive-date=17 March 2022 |archive-url=https://web.archive.org/web/20220317095413/https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ |url-status=live }}{{cite web |title=CVE-2022-23812 |url=https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c |website=GitHub |access-date=16 March 2024 |archive-date=16 March 2024 |archive-url=https://web.archive.org/web/20240316204225/https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c |url-status=live }} A week later, Miller added the peacenotwar module as a dependency to node-ipc.{{cite web |last1=Proven |first1=Liam |title=JavaScript library updated to wipe files from Russian computers |url=https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ |website=The Register |publisher=Situation Publishing |access-date=18 March 2022 |archive-url=https://web.archive.org/web/20220318130958/https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ |archive-date=18 March 2022 |date=18 March 2022 |url-status=live}} The function of peacenotwar was to create a text file titled WITH-LOVE-FROM-AMERICA.txt on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in a Denial of Service (DoS) to any server using it.{{cite web | url=https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ | title=Alert: Peacenotwar module sabotages NPM developers in the node-ipc package to protest the invasion of Ukraine | Snyk | date=16 March 2022 | access-date=18 March 2022 | archive-date=9 April 2022 | archive-url=https://web.archive.org/web/20220409122257/https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ | url-status=live }}{{cite web | url=https://snyk.io/blog/open-source-npm-packages-colors-faker/ | title=Open source maintainer pulls the plug on NPM packages colors and faker, now what? | Snyk | date=9 January 2022 }}

Impact

Because node-ipc was a common software dependency, it compromised several other projects which relied upon it.{{Cite web|url=https://github.com/zlw9991/node-ipc-dependencies-list/|title=Node-ipc-dependencies-list|website=GitHub|date=19 March 2022|access-date=18 March 2022|archive-date=16 April 2022|archive-url=https://web.archive.org/web/20220416164135/https://github.com/zlw9991/node-ipc-dependencies-list|url-status=live}}

Among the affected projects was Vue.js, which required node-ipc as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.{{cite web|title=BIG sabotage: Famous npm package deletes files to protest Ukraine war|url=https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/|access-date=17 March 2022|work=Bleeping Computer|archive-date=17 March 2022|archive-url=https://web.archive.org/web/20220317095413/https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/|url-status=live}}{{cite web|last1=Tal|first1=Liran|title=Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine|url=https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/|website=Snyk|date=16 March 2022|access-date=18 March 2022|archive-date=9 April 2022|archive-url=https://web.archive.org/web/20220409122257/https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/|url-status=live}}

See also

References

{{reflist}}

{{2022 Russian invasion of Ukraine}}

Category:Internet-based activism

Category:2022 in computing

Category:Reactions to the Russian invasion of Ukraine

Category:Malware