Honestly a very harmful sort of "doing something about it". As if deleting someone's (presumably, normal people) files will make them more understanding of the difficulties in the ongoing conflict. Lying about it is also petty, as seen below. Malicious software is malicious regardless of any intentions and should be prosecuted as such. And if one really feels obliged to make their part as they wish, there's many examples of relatively harmless ways to do so, for example Notepad++ used to open a new tab with text inside, that is not particularly harmful.
>It is documented what it does and only writes a file if it does not exist. You are free to lock your dependency to a version that does not include this until something happens with the war, like it turns into WWIII and more of us wish that we had done something about it, or ends and this gets removed.
Really? How do you save lives but deleting the average Dmitry's personal computer files?
Maybe they were even working on a popular open source product as many average Russians tend to do.
Causing tens or hundreds of thousands of wasted hours by (relatively) high-earning software developers in Russia (who average about 20k USD a year, or $11/hour) is only, generously, a few million dollars USD in "damages".
To clarify, not refuting your point. Just providing napkin math that I agree it doesn't do much.
This still goes to the heart of the obligations of maintainers.
"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE."
People keep placing obligations on maintainers in the FOSS ecosystem.
Maintainers don't have to do jank in this situation, except don't fraudulently distribute their software.
If they want to publish their upstream as malware, okay.
It's the end user's fault for continuing to pull that source code and integrate it into their system.
Normally I agree, except in this case when the maintainer becomes the aggressor and literally installs malware to the user. This has nothing to do with FOSS and contributors being obligated to write better code, this is deliberately hacking someone.
That's like saying "it's your fault for giving them your password" when someone opens a phishing link. Yeah, all the scammers did was host a website and send emails, you chose to provide them your information. It doesn't make them not liable.
>If they want to publish their upstream as malware, okay.
I think you'll find that argument will not be very persuasive to a judge if the case is that the author of the software knowingly adds code in after people have integrated it into their systems that on purpose damages those systems.
Intention will often carry weight, and no claiming of rights and purity and see I wrote here you can't do anything to me! is going to persuade a judge that you can just go around destroying property because you want to.
If you sign a contract stating that you get 10k and in return I get to destroy your property. A judge is not very likely to enforce the payment but state that I should not destroy your property “because obviously thats not something you would like”
The license grants you usage but you agree to no responsibility for damages. You can’t cherry pick half of it, that defies the entire point of a license. The fact that you’d like to both Ear your cake and have it to does not have any weight in court.
Licenses aren't contracts, and more to the point, licenses grant you the right to copy or distribute the software, you do not need to agree to them for use (this is a very common misconception). You have the right to use the software if you have been given a copy by someone with the right to distribute the software, unless you have signed a contract with them stating otherwise (EULAs and other such attempts to force a one-sided contract onto users generally have little weight in court).
People are so clueless about law, this comment is a great example. A licence is worth jack shit in a criminal case (which this would be, if prosecuted).
> If they want to publish their upstream as malware, okay.
NPM's terms explicitly disallow malware. They're free to put the raw source on say GitHub, but the author isn't permitted to package and distribute it on NPM.
I'm two days late but this is an argument for a developer not removing a security vulnerability from a dead project they've stopped maintaining, not this. I feel like not actively choosing to push malware to a repository where you know many, many automated systems will pull that malware onto the systems of your end-users due to a poor security model in the ecosystem you're developing in is a very very low bar of obligation as a maintainer.
Like, okay, you can't expect a doctor to save the life of every person who comes into the ER, but you can hopefully expect them not to start stabbing patients to death, and something should probably happen if they do, right?
Your argument makes sense for inaction (and is important and not brought up enough, honestly; there is a lot of entitlement in the open source world and people treat library developers in some pretty nasty ways), but not for action, as is the case here. The only obligation anyone expected here was the obligation to hold yourself back from making your project that gets millions of downloads per week point to malware.
So basically you're interpreting this clause as "if I want to be a total asshole, I can, and no one is allowed to complain"?
I reject that interpretation entirely. Sure, maybe the author isn't legally liable for any harm here (though I'm not entirely convinced that's the case), but we are all well within our rights to tell him he's an asshole for doing this.
Intent matters. The maintainer very clearly intended to do harm. They abused end user trust which is a common attack vector for many pieces of malware.
> This still goes to the heart of the obligations of maintainers.
I don't think this comes down to an "obligation" of open source maintainers. I think it's pretty evil of ANYONE to market software pretending it's one thing, when it reality it's malware. Open Source or not doesn't change that.
> It's the end user's fault for continuing to pull that source code and integrate it into their system.
More than one party can be at fault.
But now that the maintainer became a malicious actor, I hope they are booted from the FOSS world and their github gets shutdown for illegal behaviour. This behaviour cannot go on unpunished.
Plenty of existing ransomwares delete user files on everything-but-RU machines. Perhaps the maintainer of this package subscribes to the old view that
"turnabout is fair play".
"Some people in my country were victimized by organized crime in another country, so it's turnabout, and hence fair play, for me to victimize other people in that country"?
"Some people in my country were victimized by organized crime in another country, and that country's government didn't try to stop the criminal activity, so it's turnabout, and hence fair play, for me to victimize other people in that country"?
Good question, you should ask the maintainer that. I'm speculating about their possible motive for abusing the FLOSS ecosystem in such a destructive way, not trying to justify their behavior or anything.
Yup. Although if you do want to get political, I'd say this falls under the definition of cyber warfare. Also the maintainer didn't only "allow" it, it seems he is the author of the malicious module as well.
Whats painful is that in terms of cyberwarfare, allied systems maintain dominance of global grid with innovation and open source. If we had allies in russia, im sure we have fewer now. This sort of DOS attack is effective in first order effects but the second order effects could be increased resentment and new systems developed in isolation.
I think a helpful guide is to ask myself: what would admired US and RU astronauts/cosmonauts do?
I imagine that they are scientists, engineers, and colleagues, and will treat each other with support, as people of goodwill.
There are other people who are active combatants right now, whether or not they want to be, and it is tragic beyond words.
I believe that one of the ways that we non-combatants can help is to set an example -- or to leave a door open -- to how we can treat each other when the current conflict is ended.
That doesn't include lashing out angrily and hurting our fellow open source community members, most of whom presumably want no part of the tragedy, and instead want the same things we do (e.g., to develop good software, collaborate and share with others, pursue careers and businesses, support families, etc.).
This is the sad thing about all of this. Many people are demonizing average Russian citizens for the actions of their government.
When the US invaded Iraq in 2003, I was very much against it, but felt powerless to change the course of my government. (And the US government kept on doing what it felt like, no matter how unjust its actions.) While I was ashamed of my country's actions, I didn't think it would be fair for people in other countries to punish me personally for them.
And this is in the US, a supposed liberal democracy! What chance does your average Russian citizen have of getting a dictator like Putin to change his mind here?
Maybe, but you can't prove that with polls. It's illegal to oppose the war in Russia. The polls everyone is citing were conducted by state TV.
Presuming they didn't just make up their data, imagine you got a call from state TV asking "if you support the special military operation to denazify Ukraine". Your friend just told you they know someone who knows someone who was arrested and charged with oppositing the war for holding up a blank piece of paper in public. Do you tell them the truth?
Edit: Here's an anecdote from Russian social media. A person asks why prices are so unstable. The entire shop looks at the ground, mumbles, and ignores them. Does that sound like enthusiastic support or terror to you? https://therussianreader.com/2022/03/16/dixie/
It's quite ironic how medias use Russian polls when it sticks to their narrative, and bashes them when it doesn't (i.e. Crimean referendum). We should take them all with the same level of skepticism.
It's a broader pattern where they pattern match words without understanding. Like assuming Patriarch Kirill is some kind of fatherly pope-like figure just because of the title and distinguished beard, when in reality he's an ex-kgb agent who made his fortune as a cigarette smuggling gangster.
I don't think it's about "the narrative" though. I've generally seen these polls used by people who self-identity as against the narrative. These polls are usually posted in the comments section to rebut articles arguing (correctly) not all Russians support the war.
Theoretically though in representative democracy you choose the government to represent you and be an agent for making your decisions. You are responsible for what your government does in part that equals 1/Population
everybody knows that representative democracy is not representative. so, no, even theoretically you're not responsible for that reason. although you may be responsible for not doing anything to put in place a more representative democracy in your country (ie. be more involved in politics)
I don't advocate or support such malware instalation. Just saying that "Russian citizens have nothing to do with this war" is false. There are better ways to express your support for Ukraine, for example, make malware targeting only military or govermental institutions that are directly involved.
This sort of logic justifies terrorist's killing of civilians like 9/11. If they can quote your book, the US citizens voted the governments in that oppressed and bombed members of their religion.
Majority of average American citizens support their government's actions against Iraq/Syria/Libya/Vietnam/... . So in my book, they are also responsible.
It may be the case but no one knows for sure. There is no independent sociology in Russia and the state controlled one is a gear in propaganda machine. Also many Russians are afraid to speak what they think and when asked just repeat what they heard on TV even if they don't agree.
yes, but the majority of russian citizens don't install node modules. This is hitting a demographics where you have the least possible support for war and regime (which is also not small, but maybe, hopefully, not a majority)
There is a proposal to add OCaps on a language level in TC39[0]. There is a drop-in implementation which already works in both Nodejs and browsers[1].
As a developer who wants to sandbox your own (recursive) dependencies, this is wrapped and made accessible today in Lavamoat[2]. Basically a package or app can provide a policy manifest specifying which capabilities (e.g. network or filesystem access) should be granted for each sandboxed dependency. Also comes with a tool that will auto-generate a starting point from your existing dependency tree.
IMO this is the future. Currently Lavamoat does come with a performance penalty but hopefully this idea will catch on and make it into language runtime implementations.
Lavamoat is still marked as "preprod" on npm but talking to the original author, the API is practically stable and it will shortly have its first stable release.
People focus on the attack itself and reasons behind it. I feel that we are missing the bigger picture here: these type of supply chain attack in the open source world is a systematic problem. It’s a direct result of assumptions baked into services such as npm, pypi, rubygems, etc and assumptions people have regarding 3rd party dependencies.
The blast radius is monstrously giant. We seem to be still very naive in the way we approach, use, and implement those type of system, with an assumption that maintainers are working in good-faith and reliable.
I don’t know how things should be, and I don’t like to think of contributors and maintainers as a threat, but we have enough examples now to know ignore that risk is a fundamental issue.
I agree here, it's insane the number of dependencies JS developers are willing to take on. A decent sized project will see tens of thousands of extra files added to it (even if a lot of it is noncode stuff like licensing). From an outsider it even looks like employability of someone goes up if they manage to add extra dependencies to a project, since they can point to their download count to a prospective employer.
It's insane how much legal liability a company is at for agreeing to so many unread licenses. And how much attack surface they're exposing themselves to with their sprawling dependency chains.
This is a direct violation of the trust developers place in open source and does nothing to advance any individual's politics. This is purely malicious.
Beyond the obvious security considerations, there are also massive legal/IP considerations.
peacenotwar is explicitly GPLv3 but was added to node-ipc which still claims to be MIT licensed. Suddenly, any user shipping code dependent on node-ipc or Vue could be in violation of that license.
IANAL and don’t know if unknowing breach of the GPL would be enforceable… but zooming out, it’s worth noting that deep software supply chains can carry risk beyond just the risk of an explicit coded attack.
This is crazy. Are you hating on every Russian now ? Nobody is chocked by how anger against the the russian state shifted to hate against russian people ?
It's been eye opening to see how easily we
can normalize this type of stuff. Social
media is also full of deranged calls for full
on war against Russia (!!), war crime
apologia, and just a pervasive hysterical discourse. The slope is getting so slippery that
honestly it's got to stop. Let statesmen impose the sanctions that they deem necessary, they know better than random people.
What ukraine needs is advanced weaponry,
financial and political support. Not this
batshit insane vigilantism that will not end
well and do absolutely nothing to hurt the
Russian state. I cant even imagine if this
happened to a more visible minority, say if
China invaded taiwan? It's just scary.
I'm not saying this is on the same level at
all, but I'm starting to understand how it
got to the point where the internement of
Japanese Americans was supported by a
majority of Americans back in ww2. As a minority it just gives me this weird unsettling feeling that is a bit hard to explain, even if I'm not russian.
On top of that, petty, personal attacks like that have the absolute opposite effect if the supposed intention is to motivate russians to protest. It just makes people angry and suspicious of the west, nothing else.
Why is anyone surprised that this is happening. All you had to do is look at how people treat Asian people to realize what was going to happen to Russian people.
I'm sorry but this argument is absurd. Victimizing a population will never make them join your side and especially not when you openly make it clear that you are targeting them. If you followed the internal situation in russia, you'd see that the early opposition to the war vanished after sanctions precisely aimed at civilians started piling up. That's also the difference between actual international sanctions and this type of "activism"; while nation states have the means and the stated objective of specifically hurting the state apparatus and the government of another nation , github repo maintainers literally can only hurt and target normal russian people. Official sanctions will hurt the population too but they at least also target those in power, and those responsible for the war.
Now, obviously, you can say that the russians are themselves the aggressors and should blame their leaders which is totally true. But that doesn't matter because they will absolutely not start supporting the side that is actively trying to punish/victimize them. It's beyond counterproductive and it makes the internal situation much much easier for putin to manage.
By the way, it's scary how how many people are starting to unironically use the same type of argument that bin laden used to attack the US. If you read his letters, he repeatedly said that American civilians were not blameless and complicit to what America was doing to Muslims because they could've changed their government . Worse, they were instead totally supportive of their state's foreign policy! That made them "fair game" as you said. Now if you don't see how dangerous that line of reasoning can be...
This has been exactly my impression of the internal situation as well. The first wave of sanctions targeted at the russian government/central bank (where the normal people were only collateral) made the normal people angry at the russian government for causing that situation. Subsequent sanctions aimed at civilians have left people demoralized/hopeless and angry at the west. Expecting superhuman levels of heroism from people that are being attacked and victimized from all sides is just lunacy. I saw people seriously contemplating suicide.
Around 15,000 people have been detained for protesting since the start of the war, despite facing 15 years prison sentences for simply calling that war a "war" and russian prisons having documented organized torture rings.
How many times have you faced decades in jail and possible torture?
In London, in 2002, there were big protests against the imminent war in Iraq. According to Wikipedia, "an anti-war rally in London drew a crowd of at least 150,000". The UK is, nominally at least, a democracy. It's certainly a place where protesters are at much less risk than protesters in Russia. But after the protests we still invaded Iraq.
I support Ukraine 100%. I'm glad the UK and EU and US are sending weapons and aid. I'm glad that some Russians are vocally against the war. But honestly I don't know what people expect the Russian protests to accomplish. I don't know how big would be "too big to ignore" - it doesn't seem possible.
I'm sorry, but you have absolutely no idea what you are talking about. Russians have been protesting since 2011, and had protests bigger than that that only resulted in all of the opposition leaders getting jailed/murdered/exiled and thousands of people having criminal cases open against them. Tons of people that protested have left the country due to safety concerns.
Belorussians just had a giant wave of protests, with up to a million people (10% of the entire populations) taking up to the streets, and Lukashenko is still in power, but an unknown number of people have been arrested/diapered/tortured https://en.wikipedia.org/wiki/2020%E2%80%932021_Belarusian_p...
Saying 20,000 people should go get murdered is also simply evil, no matter what your supposed intentions are.
I never said 20,000 people should die, please don't put words in other peoples mouths. It's against HN rules.
I'm saying if the Russian people showed that they disliked Putin in large enough numbers this would end. (either with him ousted, or him having to kill too many people to hide).
Also you are making a FANTASTIC argument for why American/EU imperialism is about to come back in a bad way.
Apparently once a dictator takes over there is no other choices but to just let him do whatever they want, the country is lost and must be "saved" from itself since it's populace can no longer resist.
I'm not saying the country can't change from within, I'm saying two things, one is that you can't change it by attacking random people within it, two is that you have no right to tell people to go face death.
Changing the country takes time and organization, you have to cut through propaganda with the real information, change public opinion, and then organize action. So supporting the opposition and independent journalist, human rights groups that help arrested protesters on one hand, and sanctioning the government and the oligarch on the other might actually do something. Deleting files of some random russians and telling them to go get murdered will not.
You do understand you are talking about real people? Young girls, parents of toddlers, grandmas? Why do you think _you_ have the right to tell them to go face possible death and torture?
No, but see, that's okay to do. Having completely insane expectations from the other side and asking normal people to throw away their lives is okay. Just as long as you don't ask for them to do the same, or why they didn't do the same in the past because that's just whataboutism now.
The only charitable interpretation I can come up with is that they maybe live in a democracy and are too used to politics being completely devoid of any danger. It's easy to have strong convictions and strongly held opinions/values in a peaceful democracy, but it's completely different when politics involve violence and can ruin your whole life.
Are the Ukrainians not real people? Young girls, parents of toddlers are getting killed right now by Russians and we are excusing not protesting this cause they may get in trouble, nah that's not ok.
They did choose to overwhelming vote and support for politicians that are now murdering real people including “ Young girls, parents of toddlers, grandmas”…
Free and fair elections? With candidates who haven't been jailed under trumped up charges, or "fell out" of windows? Free media that informed the electorate?
I have seen enough war crime photage that I am willing to accept any amount of civilian damage against Russia that is going to have an effect on the war, short of nukes.
When your government uses hospital locations as a target list and drop bombs on shelters, I don’t care if your files gets deleted.
You have participated in too many instances of two minutes hate and were gaslighted by propaganda.
I laugh hysterically (in a very sad way), as I scroll through /r/Ukraine and see yet another video headlined as "Another Russian war-crime in Ukraine", that I had already seen few years ago headlined as "Ukrainian war-crime in Donetsk".
There is no truth anymore, literally every man for himself.
To me this is a call to get off the corporate controlled internet. People have been warning about this since like 2010, and I always agreed that there could be a danger, but I never realized just how bad it already is.
This is a kind of phenomena that I can only describe as internet psychosis. Considering how toxic all these platforms are, it's quite plain to see now that the people captured by them are not invested in reality and seem to be coalescing into a kind of psychotic frame of mind. Even people who aren't captured are affected by it, and I have no doubt that I've been subjected to multiple psyop and propaganda campaigns just by perusing sites like Twitter, Reddit and Youtube.
The modern internet is a warzone that weaponizes emotions. IMO, for the good of society and the future of the internet people need to get out as soon as possible and build new services that don't play into this.
This seems like a rather silly form of protest. Delete people's files and the only thing you're creating here is more hatred directed at yourself.
If you want to sabotage all Russians for some weird reason, just introduce a race condition that's masqueraded as a compatibility fix for the Russian locale.
If you want to send out a message, take a more peaceful approach. Create file or print out a translated message like "<Citizen name>, age <age>, was killed in the illegal Russian invasion of Ukraine on <date>" in Russian. Add a link to a picture or a news article if you want. Still a pretty annoying move, probably universally considered in bad taste by most people, but not illegal or destructive. Add something like "the economic recession is because the Western world opposes the Russian government" to make that clear as well, because the immense inflation will probably hit random citizens hardest. Best case scenario you're informing some ignorant Russians stuck behind state propaganda, worst case scenario you piss off some Russian nationalists who will stop using your library.
In the end, this is just another demonstration of how dangerous modern dependency management is. NPM has been through leftpad, colors, now node-ipc, and there's still no way to prevent it from happening again.
I don't know of any language ecosystem with a package manager that doesn't have this problem as well. Perhaps the more boring/slow software dev requiring OS package managers, because Debian maintainers tend to be a little more level-headed than random Github users? Take your pips, cargos, gems, gradles, composers, and you'll find exactly this vulnerability.
The general consensus seems to be "it's impractical to validate all the code we're pulling in, so there's nothing we can do", which is kind of crazy in my opinion. Yes, modern dev does pull in a billion dependencies for every framework, but doing nothing just isn't a problem.
We're one NPM hack away from global catastrophe as long as we don't find a solution for problems like these.
I only read it briefly but the HN submission title talks about erasing files on RU/BY computers, while the blog post talks about creating files on desktop.
> On March 8, at 7:25PM GMT+2 and less than four hours after node-ipc@10.1.3 had been published to roll back the destructive payload, a new major version node-ipc@11.0.0 was released on the npmjs registry.
The old version erased files, the new one leaves a file on the desktop.
Look like they realized the ramification and suddenly changed their payload. Well, that won't help them since companies who uses this module will have their legal department barking. They cannot erase the damage they have done and try to get away of the ramification with version. Since this is distributed through GitHub, Microsoft legal possibly will be involved due to possible violation of cyber/hacking laws in various countries. This is going to be ugly for the developers.
I don't see any issue for the developers at all. It is their software to create and alter as they see fit. End users choose to use the package, it is not being installed on their machines without their knowledge.
1) Why they changed the code all of the sudden? If they are fine with realeasing this kind of damaging payoad, then why they decided to change the code? I mean they want to make a statement, right? Then they should leave the original code and stand by it. Why they are not standing by their statement?
2) Why RIAEvangelist editing people comments to minimize their languages? why they are censoring their comments? I checked the edited button and you can see RIAEvangelist made some interesting changes on their comments.
3) If RIAEvangelist felt his protest should be public and known, but users can't? You can clearly see they are trying to censoring comments and users at the beginning. So odd for developer who want to protest but yet refused to allow users to voice their protest. Strange strange mentality.
4) That is their free speech but that is only free speech from the governments. I realize my comment indicate about legal ramification. It is not the governments that RIAEvangelist should worry about, it is the private companies they should worry about, espically the platform they are using are known to be extremely litigious. They have far more power and money to ensure their maximum punishment. Private companies will use the law and lead hard on the government to do something. Private companies have done it before and they will do it again.
I don't have a issue with their principle. It just it is not the right platform/soapbox to use because it can cause unexpected damage if the original code is left up. It could spill to over companies who would be unintentionally targeted by it. Software is never perfect and it can be ugly. The developer have the right mind to change the code to minimize the damage because it will be ugly for them if they leave it up.
That is not the position ctvo is making at all. He never said he was in support of malware. He is stating that there should be no legal ramifications. The person who added the malware is definitely a piece of shit but i also agree he should not face legal ramifications. This is his code and he is allowed to do with it whatever he wants. It is the consumer to safe guard against external code. Legal ramifications would cause a legal precedent to be set for open source code and ownership that is a very dangerous path. I understand the anger and frustration, i feel it too. However it is still his code
I too would normally agree if the software wasn't actually malicious this time. It is one thing to create an infinite loop in a package that can simply be terminated, but a whole other can of worms to actually start removing users files. I generally agree with what you are saying that open source developers don't owe anyone anything, but there is a line, otherwise think about the precedent it sets when open source dies out because businesses and government stop using open source because of hostile takeovers by other nations who then use popular open source projects to spread malware. People cheering this would be devastated if this happened to them, but by cheering that is what they are advocating for.
Nothing is black and white, I think there should be some flexibility because afterall it is open source, however intentionally deleting user files or installing spyware is where I draw the line. If you want to break your own software, then fine, but don't go breaking other peoples software intentionally and deleting files when that is not what your software was designed to do and you've gave no warning or indication to other users that you plan to change it.
The original statement was that this person isn't likely to face legal recourse. The comment I was replying to was very lengthy, but never addressed that statement or made a LEGAL argument that this person would face legal recourse, hence my reply.
I'm curious if you think the same applies to a developer that writes any kind of ransomware when an end user downloads and installs it knowingly. End user trust is a common attack vector for malware and the developer here took advantage of that just like any other malware developer.
The analysis here is actually really frustrating. The initial code snippet is only partially analyzed. It makes a HTTP request to a third party geoip service to detect location, then recursively overwrites files if the location is Russia or Belarus. I can't understand why the article doesn't talk about this, but the code is there (albeit obfuscated).
Guy has his real name on his github page. Googled him, he has a Wikipedia page, created by a Wikipedia user with the same username as his Github one. Well, I think that says all I need to know about his character.
Is it unauthorised if a user chooses to add the package themselves? This is not being put into anyone's machine clandestinely. It is the software user's responsibility to ensure the software is doing what you expect.
IANAL, but I suspect that it is considered unauthorized as there are many avenues in which a dependency will get updated without a user specifying this exact package and version. I think the key here is that there is clear malicious intent.
I love the idea we will soon have western and eastern open source projects. Even if internet isn't bifurcated, both sides will be too paranoid to install software from the other side. All software projects will have to pedantically vet every line of a commit, photo ID every contributor, to avoid subtle bugs intentionally committed and sent to millions.
Why stop at countries? How hard would it be to use ML to detect if the user has the wrong politics? Why stop at just deleting files? How about downloading as much illegal content as possible, sending embarrassing emails, etc? There's so many possibilities here.
It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.
The micro package ecosystem is also self-reinforcing: some micro packages were created by the same developers who have spun ownership of these things into more lucrative positions.
I've tried to get rid of micro packages in the dependency tree of popular libraries, but because it's a turf war, PRs get closed, and the problem continues.
Guess it's time to chroot each project folder if you're using any package manager or external libraries. Though on second thought it's just a band aid as the damage which can be done after deployment is far worse than anything before.
In war, collateral damage, or the harming of non-combatants is usually justified by the argument that it deals significant enough damage to enemy combatants to outweigh the harm done to civilians.
What would you call an operation that has nearly 0 effect on enemy combatants and only deals damage to civilians?
Comments seem split between "that's illegal, beware the lawyers" and "don't RCE yourself then cry about it".
I've got some bash scripts on GitHub that would delete files on the local machine if run. Today I don't care if anyone else runs them. If however the winds are blowing towards people doing themselves harm with my code is my problem, I guess I should delete the code I've published.
Big difference between random code on GitHub and modifying a high-use JS dependency to delete user files. I'm not against protesting in software, for example printing something to stdout during install, but deleting files is malicious beyond reprieve.
Maybe, I'm not totally confident about there being a meaningful difference.
If the former counts as distributing malware, my bash script that clobbers local directories to put the machine back into a sane default state might be too. It does rm -rf ~/$DIR and similar. It's just not as successfully deployed.
Or software that wastes resources, maybe it goes into an infinite loop and DoS the local CPU. I've got one of those called 'heater' or similar that I used to warm up a macbook in a cold office. If someone ran that on cluster it would be unhelpful.
Maybe the change in functionality to malware from a widely shipped useful product is the key distinction, coupled with limited disclosure of the behaviour change.
Our phones have all kinds of spyware on it from the vendor, from Google and from 3rd party apps. They probably also have, as well as routers, tons of vulnerabilities know but not fixed due to the lack of interest from the vendors. Sometimes Google cancel accounts blocking access to all of it's data without giving reason or recourse.
It's 'funny' and hypocritical (as many folks here work for Google and other companies related to aforementioned issues) that we're condemning a dude for getting emotional and causing limited damage on cyberspace while a crazy dude is wrecking destruction on meatspace, killing thousands and threatening the World with nuclear war.
I understand the fears that this can undermine this nice thing we have that is opensource. Though the nice thing is that individuals voluntarily share code for whatever intrinsic reasons they have. MIT provides no warranty of any kind and there's no moral obligation to serve and make it corp-friendly. As developers our code is generally the only 'real' power we have and we can't deny that guy his agency.
RIAEvangelist was sloppy and probably will suffer consequences for his activism. Being banned from Github and NPM registry are expected and fair due to probable ToS violations and the interest of the organizations in preserving trust. But I fail to see how what he did is more or less ethical than financial sanctions like those recent applied to Russia. If he were to make it look like a mistake it would save him the trouble because ignorance/incompetence are socially accepted.
Never a better time to be vendoring your npm deps & reviewing the updates to packages. Not too difficult to pull in the new version, then git diff the changes in the `lib` directory of that package.
There is a possibilty that Russia reports that through Interpol Cybercrime or via diplomatic channel, then FBI will have to investigate and possibly lock up Brandon.
Western politicians and public media have been bashing and portraying Russia as "a haven for hackers" for some time now, but it's not like the US is any better from Russian perspective.
Russian law enforcement has huge stacks of unsolved cybercrime cases, that are essentially blocked by lack of cooperation from a foreign counterpart.
This is so CURRENTYEAR. We're reaching levels of slacktivism so fucking stupid I honestly don't know where we go from here. I thought changing "master" to "main" was fucking stupid, but this really takes the cake. I foresee a future where someone does this for all Texas IPs because they delusionally believe it's being ran by neo-Nazis, that Texas is a fascist state.
I rarely visit HN and mostly lurk here, not sure what you're trying to point out.
I was myself hit by the issue, unfortunately, and I strongly believe that weaponising open-source is not how things should be done, so I decided to post. An attempt to bring this into limelight, if you wish
This incident sets a dangerous precedent in breaking a chain of trust that today's software development heavily relies on
How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?
And who's signing these updates? The package owner? Well, he's the one adding malicious code so he can sign whatever he wants.
I'll say it again, Node.js needs a proper standard library like Go that takes care of common needs most people have. It's been improving but it was a historical mistake to let microdependencies run wild.
> How are regular developers going to vet the literally 1000s of Node.js dependencies they rely on?
Perhaps they shouldn't be relying on thousands of NPM packages. It's not difficult to write JS code that doesn't `npm install` the entire package ecosystem.
Oh, please. The only thing missing was to accuse asn007 of being a "Russian troll", although I suppose you realized that that would not be appropriate in this case.
Sorry that’s what you took from it, if you’re looking for an apology. People are interesting, that’s all, and I am curious about how they tick. There is a difference between “How odd!” and “This person is up to no good.”
Whether someone is a “Russian troll” or not really doesn’t concern me, and I wouldn’t call someone out if I thought they were (that’s a mod’s problem and poor form), nor was that what I was insinuating.
One hand, this is a seemingly non-violent and subtle way to protest. On the other, the potential collateral damage is huge and just burns all trust with this developer, and is a net harm to the ecosystem as a whole.
FOSS is great, because we were actually able to track the changes here. But it also points out how many packages go un-checked and just installed into a container running with root permissions.
> One hand, this is a seemingly non-violent and subtle way to protest.
You can't be serious. Being non-violent and subtle is no excuse for deliberately making software have real side effects on a computer that it's not advertised to do, especially a node library. Node modules for some reason tend to be very small and have trivial tasks like checking if something is a number. Imagine if everything shipped with it's own political malware.
No matter how you want to spin it this is completely unacceptable and nobody should ever trust this developer again.
> But it also points out how many packages go un-checked and just installed into a container running with root permissions.
The fact that "packages go unchecked" doesn't make this okay either.
I dunno. If you’re sloppy enough to install whatever dependencies onto your system, and not notice a new dependency, called “peacenotwar”, I’d say it’s your problem.
Doesn’t necessarily make it OK, but this will only affect the sloppy.
No one is going to audit the entire transitive closure of their dependency graph for every project they try out on their computer. This is not just going to affect the sloppy.
Its childish. Striking out maliciously at random web developers surrounded by state propaganda is counter-productive. This just annoys them and feeds the narrative that they're under attack by the West who hates them.
I would imagine web developers over there, being more educated, technical, and exposed to the West, would be the ones less likely to support the war.
There's nothing subtle about wiping files, why not provide news and information that's being blocked? This could have been an information bridge that would be hard to censor. Hell, run a crypto miner on their machine and donate to Ukraine if you're trying help, that'll have more of an impact then wiping some poor dev's files.
Your suggestions are also childish and just as flippant.
I don't know how to feel about this because it's not much different than sanctions in theory (very different in execution). Cause pain for people so they "force internal change."
> why not provide news and information that's being blocked
It's not really an issue to bypass blocks (how do you think Russians access rutracker). Especially not for a person who is capable of doing something with NPM packages.
it isn't going to stop Putin but it could negatively impact normal people. in no universe will the handful of Russian programmers impacted by this rise up and overthrow their government. but they will be forced to work extra hours cleaning up any damage this caused to their system. This is really lame virtue signalling that only harms fellow workers because their government is terrible.
But this is pretty much the exact logic sanctions work by. Putin and his cronies might lose some super yachts but the main aim is to crash the Russian economy, which will hurt everyday Russians far more than any leader. Not that I have any better ideas, but you could argue this move is in a similar vein.
It's his software, he can do what he wants with it. It is the responsibility of those who use packages to determine what it is doing. Everyone is free to write their own version or even fork an earlier version of the code if they want.
>It is documented what it does and only writes a file if it does not exist. You are free to lock your dependency to a version that does not include this until something happens with the war, like it turns into WWIII and more of us wish that we had done something about it, or ends and this gets removed.
from https://github.com/RIAEvangelist/node-ipc/issues/233#issueco...