7.3 KiB
List of open-source projects containing protestware
What is "protestware"
ProtestWare is a type of malware with political overtones. Implements unexpected software behavior. Most often, changes do not affect all users, but a certain group according to such criteria as countries, language, time zone, etc. Manifestations can be in the form of displaying political slogans, deliberate failures in the software itself, or causing harm to other user software.
About this list
This list is based on CTO Club List, GreatBookOfGrudges, toxic-repos and other sources.
How to update this list
Please open an issue or create a pull request.
Open source projects with protestware
peacenotwar
ProtestWare NPM-package. repo
If any users are using IP in Russia or Belarus, all their file will be wiped entirely by hearts.
node-ipc
About project: NPM-module for Inter Process Communication. repo
Issue | Malware code | commit
If any users are using IP in Russia or Belarus, all their file will be wiped entirely with a heart emoji. Manually set a 25% probability at the beginning of the timeout, so that this thing looks more like a floating bug than something intentional.
This affects the package node-ipc from 10.1.1 and before 10.1.3. From versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package.
es5-ext
About project: ECMAScript extensions. repo
The popular npm-package which has not been updated for 2 years has started receiving regular updates that contain both propaganda and timezone code that increases resource utilization. Check the file _postinstall.js
Quake3e
About project: Improved Quake III Arena engine. repo
26.02.2022 Removed support of Russian MCST/Elbrus platform: commit
RESP.app / RedisDesktopManager
GUI for Redis. repo
Russian translation was removed. commit
pnpm
About project: Package manager. repo
Added anti-Russian statement. commit
Also access to pnpm.io is blocked from Russia an Belarus
yandex-xml-library (PHP)
About project: un-official Yandex-XML PHP library. repo(removed)
A version of the package with a political slogan has been added to packagist, and the sources have been removed from the GitHub. The result is a broken project build. But there are 9 forks on GitHub.
AWS Terraform modules
Added anti-Russian slogans and meaningless variables to the code. One of commits
retejs/rete
About project: JavaScript framework for visual programming.
Added "StandWithUkraine" postinstall message. commit
composer
About project: Package Repository Website for Composer (PHP). repo
Added message "StandWithUkrane". commit
PHPUnit
About project: testing framework for PHP. repo
Added message "StandWithUkraine". commit
Mistape WordPress plugin
https://wordpress.org/plugins/mistape/
Through a vulnerability in the popular Mistape plugin, an attacker gains access to the administrator sections, uploads the UnderConstruction plugin, with which it displays arbitrary information on the main page of the site. Usually this is a widget on the topic of current events in Ukraine. The author of the plugin on February 24 made changes to it. I waited until the update was distributed among users and began to exploit the vulnerability that was included there in a few days.
Projects, where protestware were removed
Vue CLI
Transitive dependency on node-ipc.
node-ipc has been version-locked to a previous release by vue/cli-shared-utils, perhaps one of the more popular downstream consumers of the package.
The (transitive) vulnerability in @vue/cli has been fixed. Please update to the latest versions of @vue/cli, either 4.5.16+ or 5.0.3+
Awesome Prometheus Alerts
Determines the user's active language and redirects to the page with slogans. In the following commits, the code was removed. commit
filestash
Filestash web site. repo
Using the definition of IP, Zelensky's video message was shown. commit
Now removed.
tasmota
About project: ESP8266 / ESP32 firmware. repo
Messages in the log, inoperability of the device: commit
The author rolled back the vulnerability under public pressure: commit 1 | commit 2
Onefetch
About project: A command-line Git information tool. repo
When installing the program, it replaces the libgcc_s.so.1 library, the system stops responding and after rebooting the system gives a kernel panic error.
There is no evidence of malice. False alarm.