A Short History of Protestware

As part of a new series we’re doing on various indicators of software supply chain compromise, today we’re exploring the intriguing and controversial phenomenon of protestware.

This form of digital activism has evolved over time to become a formidable tool for software developers to express political or social stances, challenging traditional notions of software neutrality and security. Unsurprisingly, embedded activism isn’t always compatible with maintaining the integrity and reliability of the software supply chain.

“Do not fold, spindle, or mutilate.”#

Protestware is almost as old as the hills, with its roots in the early days of computing. Punch cards were the best technology for taking census and keeping records in the early 20th century and became a countercultural symbol in the 60’s and 70’s. The cards became synonymous with the dehumanizing control of the system.

Punch cards were printed with the instructions “Do not fold, spindle, or mutilate,” so they would not jam the machine.

“Why would people mutilate punch cards? Punch cards were the interface between the public and the billing system. Metaphorically, they were where the public meshed with the corporate world. They became symbolic of the whole system. Earlier, it had been the machines that were the focus of attention; in the 1960s the cards took center stage.” - (Lubar, "Do Not Fold, Spindle or Mutilate": A Cultural History of the Punch Card)

In addition to many business and governmental uses, punch cards also tracked class registration at universities.

Students who were part of the Berkeley Free Speech Movement in 1964 demonstrated their ability to control the machines by punching their own cards and slipping them in with the official ones:

“Some joker among the campus eggheads fed a string of obscenities into one of Cal's biggest and best computers-with the result that the lists of new students in various classes just can NOT be read in mixed company.” (Berlandt, "IBM Enrolls" l)

Students also punched cards with words from the phonograph album cover for "FSM's Sounds Be Songs of the Demonstration!" (image source: Library of Congress)

The 1980’s brought us personal computers and the rise of hacktivism, which was often motivated by political views, cultural/religious beliefs, or terrorist ideologies. Hacktivism is distinct from protestware, as it usually involves breaking into or disrupting a system without the owner’s consent.

Protestware on the other hand is software modified by its author with legitimate access for the purpose of making a statement or raising awareness. Unless the author is going for a scorched earth approach, the protest is usually designed to coexist with the software's intended functionality.

Protestware walks a fine line on the border of malware. When the embedded content or code’s behavior starts to interfere with the intended functionality or user experience of the software, or performs actions without the user’s consent, it crosses into malware territory.

Protesting the npm Registry: The Left-pad Incident#

Fast forward to the 21st century, protestware has become a more ethically nuanced topic, as developers are deliberately sabotaging their own open source software libraries in protest of governments and corporations.

One of the first high-profile incidents of a protest affecting open source supply chains involved “Left-pad,” a package with 11 lines of code that included a function that adds extra space to the left side of a string of text.

Following a dispute over the naming of ‘kik,’ another one of his modules in the registry, Left-pad author Azer Koçulu decided to delete all of his nearly 300 packages in protest.

"This situation made me realize that npm is someone’s private land where corporate is more powerful than the people, and I do open source because Power To The People," Koçulu wrote on his blog.

Left-pad had been downloaded nearly 2.5 million times in the month prior to it being unpublished. While other developers quickly filled the gap with new packages that performed the same function, the 2016 incident demonstrated the fragility of the open source ecosystem in the face of protest.

Popular npm Packages Modified in Protest of Free-Riding Corporations#

In one notable incident in 2022, the ‘colors’ and ‘faker npm packages were modified by their maintainer ostensibly in protest of corporations who use open source projects without giving back. This affected thousands of projects depending on these packages.

The corrupt versions of the packages triggered infinite loops causing a denial of service.

'Colors' prints colorful text messages on the console, and ‘faker’ generates fake data for developing and testing applications. At that time ‘colors’ was receiving more than 20 million weekly downloads on npm with ~19,000 projects relying on it. “Faker’ was getting downloaded 2.8 million times weekly with 2,500 dependent projects.

Although the packages’ developer, Marak Squires, did not explicitly state why he added protestware, a GitHub issue from 2020 offered a possible clue to his motives.

Developer Protests PyPI Enforcing 2FA#

Python packages are not immune to developers’ acts of protest. More recently, in July 2023, the developer of the widely used ‘atomicwrites’ library deleted his package from PyPI to protest the registry announcing plans to mandate a new two-factor authentication requirement for maintainers of "critical" (top 1%) projects.

'Atomicwrites' was getting 6 million downloads per month before its author, Markus Unterwaditzer, deleted the package. He republished ‘atomicwrites’ to reset its download counts.

"I decided to deprecate this package," Unterwaditzer said in a GitHub issue. "While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI's sudden change in rules and bizarre behavior wrt package deletion doesn't make it worth my time to maintain Python software of this popularity for free. I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so."

Package deletion can have as strong an impact as protestware modifications. In both cases, it causes developers who require these dependencies to immediately find alternatives.

International Conflict Fuels 2022 Uptick in Protestware#

Politically-motivated open source protestware saw a significant increase in 2022 in response to Russian aggression in the Russia-Ukraine war. Some of the more benign forms would use geo-targeting to add a simple call for peace message in support for Ukraine if a Russian IP address was detected. Other packages went a step further.

In one notable incident, npm user riaevangelist, maintainer of the popular node-ipc package, which was receiving a million downloads weekly downloads, published a new package that added protest messages to the target machine and included it as a dependency of node-idc. He also added a file that targeted Russian and Belarusian IP addresses to run a malicious payload that would destroy all files on disk by replacing their content with a heart emoji. This is one situation where protestware crossed the line into malware.

More npm packages have been found to include protestware recently in 2023, with messages regarding conflicts in Israel and the Gaza Strip. These messages are meant to drive awareness to human suffering but the calls for peace are less compelling when they come packaged with a new postinstall script.

The Problem with Protestware#

Protest is an important and healthy way to question power dynamics and call authorities to accountability. Although some see protestware as a similar form of activism, it raises significant concerns about trust and security in the software supply chain.

Maintainers of popular packages may use their influence in unexpected ways. Many developers may even agree with protestors' political ideologies but disagree with their modes of expression. Trust and collaboration are paramount in the open source ecosystem, and protestware can create unnecessary division, especially if contributors feel their projects are being co-opted for causes they don’t support.

Protestware blurs the lines between legitimate software functionality and potentially harmful actions driven by political motives. Even if it doesn’t obstruct the primary purpose of the software, the chain of trust is broken.

Socket AI Flags Protestware/Troll Packages#

Because of the immediate and unintended disruption protestware can have on open source supply chains, Socket’s AI-powered threat detection flags protestware/troll packages as a high severity risk:

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

In this particular example package, Socket’s AI warns of the following and links to the code in question:

This module exports a function that schedules automatic system shutdown and deletes specific directories from the node_modules folder based on specific dates in 2023. The code is highly suspicious and poses a significant security risk. It should not be used under any circumstances.

It’s important to have reliable protestware detection in place, in case a rogue maintainer decides to slip a little something extra into a package you have been trusting for years. Our free Socket for GitHub app performs checks for protestware (among other signals of supply chain compromise) in the background whenever a dependency is updated or added in a pull request.

While you cannot control open source software maintainers and their responses to global events and injustice, you can take proactive measures to ensure your projects remain free from unexpected and potentially disruptive code.