clock menu more-arrow no yes

Filed under:

After ‘protestware’ attacks, a Russian bank has advised clients to stop updating software

New, 15 comments

The move comes after an anti-war developer sabotaged a popular open-source code library

Photo by Amelia Holowaty Krales / The Verge

As the Russian invasion of Ukraine draws on, consequences are being felt by many parts of the technology sector, including open-source software development.

In a recent announcement, the Russian bank Sber advised its customers to temporarily stop installing software updates to any applications out of concern that they could contain malicious code specifically targeted at Russian users, labeled by some as “protestware.”

As quoted in Russian-language news sites, Sber’s announcement reads:

Currently, cases of provocative media content being introduced into freely distributed software have become more frequent. In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.

Where there was an urgent need to use the software, Sber advised clients to scan files with an antivirus or carry out manual review of source code — a suggestion that is likely to be impractical, if not impossible, for most users.

Though framed in general terms, the announcement was likely made in reference to an incident that took place earlier in March, where the developer of a widely used JavaScript library added an update that overwrote files on machines located in Russia or Belarus. Supposedly implemented as a protest against the war, the update raised alarm from many in the open-source community, with fears that it would undermine confidence in the security of open-source software overall.

The update was made in a JavaScript module called node-ipc, which, according to the NPM package manager, is downloaded around 1 million times per week and used as a dependency by the popular front-end development framework Vue.js.

According to The Register, updates to node-ipc made on March 7th and March 8th added code that checked whether the IP address of a host machine was geolocated in Russia or Belarus, and if so, overwrote as many files as possible with a heart symbol. A later version of the module dispensed with the overwriting function and instead dropped a text file on users’ desktops containing a message that “war is not the answer, no matter how bad it is,” with a link to a song by Matisyahu.

Although the most destructive features of the “protestware” module no longer appear in the code, the consequences are harder to undo. Since open-source libraries are fundamental to software development, a general loss of trust in their integrity could have knock-on effects for users in Russia and elsewhere.

In a tweet, cybersecurity analyst Selena Larson referred to it as “forced insecurity”; in general, the open-source community has fiercely condemned the node-ipc update and pushed back on the idea of protest through module sabotage, even for worthy causes.

More broadly, the Ukraine conflict has posed difficult ethical questions to technology companies working in Russia. While many global tech leaders like Apple, Amazon, and Sony have paused or halted sales in the Russian market, others remain: in a blog post from March 7th, Cloudflare CEO Matthew Prince said that the company would continue to provide service in Russia despite calls to pull out, writing that “Russia needs more Internet access, not less.”