{"id":35330,"date":"2022-03-21T16:29:30","date_gmt":"2022-03-21T20:29:30","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35330"},"modified":"2022-03-21T16:29:30","modified_gmt":"2022-03-21T20:29:30","slug":"npm-packages-sabotaged","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/03\/21\/npm-packages-sabotaged\/","title":{"rendered":"NPM Packages Sabotaged"},"content":{"rendered":"

Ax Sharma<\/a>, in January:<\/p>\n

The developer behind popular open-source NPM libraries ‘colors’ (aka colors.js on GitHub<\/a>) and ‘faker’ (aka faker.js on GitHub<\/a>) intentionally introduced mischievous commits in them that are impacting thousands of applications relying on these libraries.<\/p>

Yesterday, users of popular open-source projects, such as Amazon’s Cloud Development Kit<\/a> (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console.<\/p>

[…]<\/p>

The reason behind this mischief on the developer’s part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.<\/p><\/blockquote>\n\n

Ax Sharma<\/a>:<\/p>\n

This month, the developer behind the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War.<\/p>

Newer versions of the ‘node-ipc’ package began deleting all data and overwriting all files on developer’s machines, in addition to creating new text files with “peace” messages.<\/p><\/blockquote>\n\n

John Gruber<\/a>:<\/p>\n

\n

The way the Node community works, just blindly slurping in other people’s package updates<\/a> without knowing what’s in them, continues to boggle my mind.<\/p>\n<\/blockquote>\n\n

Bruce Schneier<\/a>:<\/p>\n

\n

It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries. Between log4j and this new protestware, it’s becoming a serious vulnerability. The White House tried to start addressing this problem last year, requiring<\/a> a “software bill of materials” for government software[…]<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n