After ‘protestware’ attacks, a Russian bank advised its customers to stop updating their software

As the Russian invasion of Ukraine continues, the consequences are felt across many sectors of the technology sector, including open source software development.

In a recent announcement, Russian bank Sber advised its customers to temporarily stop installing software updates on all apps, fearing they might contain malicious code specifically aimed at Russian users, dubbed by some as “protestware”.

As quoted in Russian-language news sites, Sber’s announcement reads:

Currently, cases of introducing provocative media content into freely distributed software have become more frequent. Additionally, various malicious content and code can be bundled into freely distributed libraries used for software development. Use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.

When there was an urgent need to use the software, Sber advised customers to scan the files with antivirus or perform a manual source code review – a suggestion that will likely be impractical, if not impossible, for most users.

Although phrased in general terms, the announcement was likely made in reference to an incident that occurred earlier in March, where the developer of a widely used JavaScript library added an update that overwritten files on machines located in Russia or Belarus. Supposedly implemented as a protest against the war, the update alarmed many in the open source community, fearing it could undermine confidence in the security of open source software in general.

The update was made in a JavaScript module called node-ipc, which according to package manager NPM is downloaded around 1 million times a week and used as a dependency by the popular front-end development framework Vue.js.

According to The register, node-ipc updates made on March 7 and 8 added code that checked if a host machine’s IP address was geolocated in Russia or Belarus, and if so, overwritten as many files as possible with a heart symbol. A later version of the module removed the overwrite feature and instead dropped a text file on users’ computers containing a message that “war is not the answer, no matter how bad”, with a link to a Matisyahu song.

Although the most destructive features of the “protestware” module no longer appear in the code, the consequences are harder to undo. Since open source libraries are fundamental to software development, a general loss of confidence in their integrity could impact users in Russia and elsewhere.

In one Tweeter, cybersecurity analyst Selena Larson called it “forced insecurity”; in general, the open-source community fiercely condemned the node-ipc update and pushed back against the idea of ​​protesting by sabotaging modules, even for good causes.

More broadly, the Ukraine conflict has posed difficult ethical questions for tech companies working in Russia. While many global tech leaders like Apple, Amazon, and Sony have suspended or halted sales in the Russian market, others remain: In a March 7 blog post, Cloudflare CEO Matthew Prince said that the company would continue to provide services in Russia despite appeals. stand down, writing that “Russia needs more internet access, not less.”

Comments are closed.