Cyberwar escalation
From arstechnica article Sabotage: Code added to popular NPM package wiped files in Russia and Belarus:
Two weeks ago, the node-ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node-ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.
I would expect that there are currently officers at the FSB and also non-government actors in Russia who are thinking about how to retaliate against this attack.
If you don’t have a setup for data backup and would lose important data if someone wiped your hard drive, now is the time to fix it.
If you have the keys for any package on which others depend it also makes sense to make sure that you aren’t an easy target for the FSB and other Russian hackers who want to retaliate in kind.
Packaging your cyberweapon in a peace-not-war module is like it’s 1984. It would be good if the FBI reacts fast and charges RIAEvangelist for hacking to prevent escalation of the conflict.
The Biden administration also warns for increased cyber attacks:
This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.
If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
However, if I had a company, at any place of the planet, I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever. Simply because, today it was Russia, tomorrow he might change his mind and decide that actually capitalism is the root of all evil, who knows. The chance is perhaps small, but why take the risk? You can only lose your reputation once.
Even from the perspective of “this is unique opportunity to cause damage to the enemy”, this action was stupid. The most likely victims were young people, i.e. precisely the part of demographics that opposes Putin, on average. And if you want to use your software for a cyber attack, it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret, and maybe no one would even find out. Instead, FSB will now be more careful about this attack vector.
The only good outcome is that people have noticed how utterly insane is the current state of JavaScript development, and hopefully everyone will now get a bit more careful. (Ah, probably not. But one can dream.)
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
Yeah, we’re all really worked up right now but this was an utterly wild failure of judgment by the maintainer. Nothing debatable, no silver lining, just a miss on every possible level.
I don’t know how to fix it at the package manager level though? You can force everyone to pin minor versions of everything for builds but then legitimate security updates go out a lot slower (and you have to allow wildcards in package dependencies or you’ll get a bunch of spurious build failures). “actor earns trust through good actions and then defects” is going to be hard to handle in any distributed-trust scheme.
I don’t think about it in terms of a pretext. I do think that when someone at the FSB reports to Putin about the damage done to Russia by an attack like this, they might want to propose options about how to retaliate.
Motivating nonstate actors matters as well.
Which is probably happening already at a high rate. This node package author could be the one in a thousand who decided to take the visible, evil, ineffectual route instead of the invisible, evil, effective route.