Protestware or potentially unwanted behavior

Information

Protestware is software modified by its author with legitimate access for the purpose of making a statement or raising awareness. Unless the author is going for a scorched earth approach, the protest is usually designed to coexist with the software's intended functionality.

Protestware walks a fine line on the border of malware. When the embedded content or code’s behavior starts to interfere with the intended functionality or user experience of the software, or performs actions without the user’s consent, it crosses into malware territory.

Because of the immediate and unintended disruption protestware can have on open source supply chains, Socket’s AI-powered threat detection flags protestware/troll packages as a high severity risk:

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Recommended actions

1. Investigate the Dependency:
   • Verify the claims about the dependency being protestware. Check the official repository, issue trackers, and recent changes to understand the nature of the modifications.
   • Assess the impact of the changes on your project. Determine if the protestware introduces any harmful behavior or if it simply displays a message of protest.
   • Determine if the protestware poses any security risks, such as data breaches, data corruption, or unauthorized access. Consider running security scans and checking for malicious code.
2. Replace the Dependency:
   • Find an Alternative Library: Search for other libraries that provide similar functionality but have a more stable and trustworthy reputation.
   • Fork and Maintain: If no suitable alternatives exist, consider forking the original repository and maintaining your own version without the protestware changes. This ensures that you retain control over the dependency.
3. Pin Dependency Versions:
   • Lock the dependency to a specific version that predates the protestware changes. This can help avoid pulling in unwanted updates until a long-term solution is found. // Example for package.json "dependencies": { "some-library": "1.2.3" }

Examples

• Protesting the npm Registry: The Left-pad Incident: In 2016, Left-pad author Azer Koçulu decided to delete all of his nearly 300 packages in protest in protest of a naming dispute on npm. The left-pad package, by far the most popular, had been downloaded nearly 2.5 million times in the month prior to it being unpublished.
• Popular npm Packages Modified in Protest of Free-Riding Corporations: In 2022, the ‘colors’ and ‘faker npm packages were modified by their maintainer ostensibly in protest of corporations who use open source projects without giving back. This affected thousands of projects depending on these packages. The corrupt versions of the packages triggered infinite loops causing a denial of service.
• Developer Protests PyPI Enforcing 2FA: In July 2023, the developer of the widely used ‘atomicwrites’ library deleted his package from PyPI to protest the registry announcing plans to mandate a new two-factor authentication requirement for maintainers of "critical" (top 1%) projects. 'Atomicwrites' was getting 6 million downloads per month before its author deleted the package. He republished ‘atomicwrites’ to reset its download counts.
• International Conflict Fuels 2022 Uptick in Protestware: Politically-motivated open source protestware saw a significant increase in 2022 in response to Russian aggression in the Russia-Ukraine war. Some of the more benign forms would use geo-targeting to add a simple call for peace message in support for Ukraine if a Russian IP address was detected. Other packages went a step further. In one notable incident, npm user riaevangelist, maintainer of the popular node-ipc package, which was receiving a million downloads weekly downloads, published a new package that added protest messages to the target machine and included it as a dependency of node-idc. He also added a file that targeted Russian and Belarusian IP addresses to run a malicious payload that would destroy all files on disk by replacing their content with a heart emoji.

Detection Method

This alert is triggered by a list of troll packages that Socket maintains. When one shows up in our AI threat feed, it is verified by a human researcher before being flagged as Protestware.

Additional resources

• Current packages with the Protestware Alert
• A Short History of Protestware