JavaScript library updated to wipe files from Russian computers The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files. Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a …
While I am not happy with war in Ukraine, malicious destruction of files, etc. on someone's computer is beyond the pale. From what I have heard there are some anti-war protests in Russia so the war is not universally popular there. You could be destroying someone's computer who actually is on the side of peace.
Yeah, but when you don't care about collateral damage, or you're too stupid to imagine that your actions just might be detrimental to some people who are not like the ones you lump in one giant category, it doesn't matter.
So, this Miller is an asshole.
Oh well, maybe it will help people understand that YOU DO NOT DOWNLOAD LIBRARIES TO YOUR PRODUCTION SERVER.
Criminal? What crime exactly?
He didn't install and run that software on your machine, he just wrote and published it. Someone else wrote a pipeline that blindly trusted this package and that is where the crime occurred.
The author is performing a valuable public service.
the war is not universally popular there
It is my understanding that the war is universally UN-popular in Russia, among the regular people. Why would they want to become the SOVIET UNION again?
I have to wonder WHAT LAWS WERE VIOLATED in the (alleged, reported) intentional publishing of MALWARE with the intent of causing damage and copying unwanted files onto people's computers...
because if THIS is TOLERATED, then WHAT'S NEXT?
(think of every wacko out there who ever did things in protest that simply IRRITATE everybody and even cause various forms of damage, from throwing paint on people's fur coats, to filing predatory and/or malicious lawsuits to halt a project over some political or environmental pet pieve... (and YES, I'm talking 'new form of cancel culture' and WOKENESS being a major factor here)
I have to wonder WHAT LAWS WERE VIOLATED in the (alleged, reported) intentional publishing of MALWARE with the intent of causing damage and copying unwanted files onto people's computers...
What laws do you think might have been violated? Bearing in mind that anyone using it could have seen what it did.
In England, Wales, and Scotland:
Making, supplying or obtaining articles for use in computer misuse offences - s37 of the Police and Justice Act 2006. There is likely an identically worded law under a slightly different name in Northern Ireland.
Be real. Before running "npm install vue", how many people browser the dependency tree and read the 50 or so MB of code that it pulls in?
They will look at the description on the vue website about what it does. Vue had no idea that the code in this dependency had changed.
>What laws do you think might have been violated?
A good question that others seem to have missed, is that the target was Belarus and Russia. Hence is doing 'damage' to computers in these countries a crime under which ever national law the person making the changes was subject to? and does that nation have extradition treaties with Russia and/or Belarus?
Certainly if the target was say the US then we know immediately that at the minimum the wire fraud laws will have been violated and the US would seek to extradite the relevant people for trial in the US.
- Destroying files is bad
- Adding one .txt file is not, moreover if it's documented.
If people aren't happy with an open-source project, they are free to develop the component they need by themselves.
Anyway, integrating directly files into projects from external repositories without checking the content first is a bad practice.
It wasn't in the documentation when the library became part of another program, and it's not possible to read the documentation every time a library is updated.
The argument that the NPM system shouldn't used as it is anyway - I don't think that was the mans intention, so it is besides the point.
There is current trend, across the political spectrum, that every opinion should be expressed as virulently and strongly as possible in ways that disrupt normal function in any way possible, whatever the collateral damage, and this an logical extension of that, carried in to international conflict.
I believe that is a wrong and self destructive approach, and restraint combined with strategic focus where it will be effective is the best strategy. Harsh words and name-calling are mostly about making your opponent lose face, but if you aren't prepared to back that up with force it is worse than useless. On the other hand, if your opponent believes they are in checkmate, then allowing them a face saving way to back down is a smart idea - especially if they have nuclear weapons.
> - Destroying files is bad
> - Adding one .txt file is not
As far as I'm concerned, after intentionally publishing malware, Brandon Nozaki Miller (RIAEvangelist) should have had his access to github and NPM permanently revoked with the project's code frozen.
The second round of malware should never have happened.
However, I also have to say that dropping a text file somewhere is not harmless. It's unexpected behaviour from code that shouldn't have a need access files in that location. It's one small step from adding desktop icons. e.g. A shortcut to visit amazon.com via sponsored/referred link. If you want to say a file on the desktop with political statements is okay, get ready for the money making schemes to infiltrate and destroy all open source projects...
NPM is basically a botnet that people subscribe to willingly.
How anyone could ever think it's a good idea to source libraries live from 3rd parties is beyond me. More efficient local caching of common libraries is about the only thing going for it, but we aren't using dialup modems anymore and the risks far outweigh it.
The whole thing is insane.
"The whole thing is insane"
Yes indeed, but it serves two purposes for the hosts:
[1] it protects the developer from having to think about integrating or validating the totality of the code, which speeds up development, saving money
[2] it reduces the traffic load on the hosting servers, which saves money
Both of these purposes provide advantage to the providing host, so we're probably stuck with it, regardless of any common sense or hazard to the user.
As we are (literally) forced to rely on the web more and more to run and maintain our societies, it becomes ever more dangerous to do so. Ultimately, the entire bubble will collapse, by which time we'll have no idea how to pick up the pieces.
At that point, to loosely quote Monty Python, "Is this the end of the World as we know it" - "Yes" - "Oh"
My mistake - this particular module is for node.js only, not the browser, so it's serverside js. affecting the server not the client.
The whole issue is the same though - whether it's servers auto updating/pulling in packages from 3rd party sites, or client run javascript instructing browsers to load 3rd party javascript.
[1] is incorrect either way. You do have to think about integration as NPM uses a loose versioning system, especially when the module is compiled client side. ie. it won't run, but it will still integrate. The other way you mention, not validating the totality, that's simply a blind approach (not sure why you list this as a benefit).
[2] isn't true either but, it's a typical talking through the hat selling point, one that dresses up "load distribution". All these NPM like deployment systems either run 1 time via user, or all the time automatically, does that sound familiar? If code exists on a certain server, then that server will always be hit the same amount of times no matter the ring strategy (heavy math based supercomputers aside). More servers for anything equals less traffic for anything (not just NPM, anything you put on them), but everything will be hit equally per your design (again, supercomputers aside).
The article mentions this:
"The continuing rise of the Node.js JavaScript framework has given the world a whole new type of software vulnerability."
If people think Node.js == NPM, then let me point out that Rust now has the same vulnerability... Cargo (FYI, both NPM and Cargo are controlled by Microsoft). Sadly, most don't know that Node itself doesn't require NPM. However, Node does use the shared packages you can get through NPM (there just vetted differently).
Every Linux distribution depends on third party packages. How is that different? So go with Windows then - but actually Windows is not better than Linux as far as exposure to malware goes and it's not a pleasant environment in which to develop (imo).
While I agree that the current promiscuity is excessive - where do you draw the line and what is "live"? A mechanism already exists for locking versions - the reasoning for not using that is to allow automatic security updates - and that is not totally unreasonable.
Ultimately we will see less layers of dependency, and better judgement about when to introduce a dependency.
This isn't about using third party libraries, it's about loading/updating them from a server out of your conttol, into your live software.
What is live? Errm what? How is that debatable? Production code, in use, with real data - as opposed to code in development on someones local computer which no-one else is accessing except maybe other people on the development team.
It's an easy line. Host your software. Don't be in a situation where your live (sorry, production/in use) code can be altered by someone else outside your team.
As for 3rd party libraries, I'll happily update packages on my personal machines, after reading changelogs, and if something breaks, I'll try and sort it out, but you can be bloody sure I won't update dependencies on live server code in such a cavalier way, and ESPECIALLY not in an automated way.
This is nothing unusual. It's standard practice, but more, it's common sense. At my last job, 1000's of people in the company used my teams software that ran on internal servers. We all liked our jobs too much to allow random people in the world to alter our live (running) code at will.
The fact this distinction isn't obvious to you leads me to believe you are of the younger generation that is responsible for this mess.
I don't look forward to the future when all us grey beards have retired, and new software is required for new traffic lights/hospital equipment/nuclear power systems/autonomous cars...
So, has GitHub (that's MSFT, right?) applied any sanctions to the guy? In my opinion, it's beyond unprofessional, regardless of whether one agrees with his views or not. I'd expect him to be kicked out and get a lifetime ban or something, if it is technically possible.
As for all the developers, presumably some (many?) of them commercial companies, that pulled this stuff without stopping twice that's essentially a supply chain attack. A trivial one, and, one assumes, trivially preventable. IANAL, and I may be hopelessly naive, but I think some level of "duty of care" is expected to be exercised while producing stuff others use, even if it is "just software".
And as a related point: I am not a JS expert by any stretch, but I thought that the browser was supposed to cuddle any JS in some kind of sandbox. How come a random piece can do IPC or delete arbitrary files or drop files on the Desktop? Can anyone enlighten me?
And as an afterthought: does it even work on a Mac?
This post has been deleted by its author
Your browser will download what it is told to from the web server you are connecting to - and that will be independent of any other browser tabs and the versions of javascript modules loaded on those pages.
The NPM updates would be on to the web server and then distributed to the clients on page load.
Whether your browser tab will do stuff outside of its sandbox is subject to the browser version, desktop security, and user stupidity (e.g "Click here to win lots of money"). This is regardless of platform - Windows / Linux or Mac
As other people have noted, doing NPM updates from the web blindly is not good practice - but unfortunately some web developers don't see it that way.
This is a node.js NPM package. I.E. This is serverside jacascript, not browser javascript.
NPM is "Node Package Manager", like apt, or pkg or deb etc.
The attacked computer would be the server running the application. The basic problem is the package manager has rhe ability to auto-update dependencies, and most people seem to usr it that way, so the changed files are loaded into someones server application.
Do npm packages work in browser or only in Node.js
Node Package Manager Guide: Install npm + Use Commands & Modules
Maybe Automatically Updating Dependencies Isn’t a Great Idea
A trivial one, and, one assumes, trivially preventable. IANAL, and I may be hopelessly naive, but I think some level of "duty of care" is expected to be exercised while producing stuff others use, even if it is "just software".
I don't think the "just software" matters as much as the "for free, with no contract and no mutual obligations whatsoever". That guy in Nebraska owes nothing to the rest of the edifice.
The hilarious thing about NPM is that it's not just JavaScript. Many dependencies in NPM contain C, C++ and other code that gets compiled into a native binary upon installation.Especially when you use NodeJS, you give up any pretense of sandboxing, as still kind of happens with browser-based JS (gaping security holes like WebGL aside).
This means that NPM packages should be treated as native code, and you have to ask yourself whether you feel comfortable whatever random code happens to get sucked down along with all other dependencies whenever you run 'npm install'.
If your habit is to run whatever PythonScript or C or Rust or D you copy blindly off GitHub, StackOverflow, etc., then you're pretty much in the same boat as the NodeJS devs who get their systems wiped or encrypted by malware on a monthly basis because someone YOLO'ed something naughty into the NPM repos again.
I agree with the sentiment, but it's an utterly dick move.
There's no excuse for randomly trashing files, especially given as one cannot equate Russia with western democracies - just look at how war protesters are being treated. The cops are more than happy to throw young children into cells (but, then, in the country they are stomping over, the army seem more than willing to consider them acceptable targets). As such, you cannot know the thoughts and political opinions of the person who ends up running your code, other than to be pretty certain that if their files end up being replaced by heart symbols, they are quite likely to think westerners are a bunch of hypocritical wankers.
On a different note, this does highlight the obvious flaw in fetching and using stuff on the internet, as opposed to using known versions hosted locally. There is the argument that using the latest versions will be better against security flaws than older ones, but then again newer versions aren't necessarily better if the author is a complete fucking arsehole that thinks it's okay to wipe people's data. That's malware behaviour.
Icon because Putin is the main problem, not random citizens.
I understand the motivation of the developer, even if I don't agree with it... however, this once again exposes a critical weakness in these JavaScript package managers that will likely fall on people who are intentionally blind, deaf, and dumb to the problem. Even if you catch things like this within a couple hours, it likely has spread to tens of thousands, even millions, of unsuspecting users visiting seemingly safe sites. If someone just adds a cryptominer dependency to some popular package way down the chain, by the time anyone catches it, they'll probably have managed to make more than enough money to make it well worth the effort.
He's actually doing us all a huge favor without realizing it.
Javascript is a train wreck. Its grown way beyond where its safe or sane for this type of script environment to be. Its OK for throwaway stuff -- it doesn't matter that much if a particular page on a newspaper website crashes the program (like it did this morning), its just a 'reload and avoid the page' job. Its not safe, secure or structured enough to be trustworthy for real work.
"All the traffic lights have turned green at the same time? Just click refresh. Sorry about all the car crashes"
It's just like the next generations version of the "just switch it off and on again" mentality from the Microsoft era, and as with that, it should never be the philosophy applied to critical systems
Set of temporary traffic lights near me failed just a couple of days ago. Gone are the days of an electromechanical timer and wires strung between them; these have smarts and link via radio. Much more to go wrong. And they did.
At least they failed to all-red. Chaos on the street though. I let the cops know (driving through a red light is still an offence) but some good samaritan decided to push them all over instead..
Objectively, I think it's a a real question as to whether he broke any laws. No one makes people use his software - in fact, the opposite. You had to download it deliberately or as a dependency. Sure, it should be forked and he should be kicked off GitHub, etc permanently....but past that....I dunno.
Bad idea. I support Anonymous' attacks on Russian systems and exfiltration of data. Overwriting systems based on IP-based geolocation? BAD IDEA. A) I'm not for automated destruction of people's systems anyway -- pick your targets. Wiping out some rando's system because they happen to be (maybe) in Russia is seriously a dick move. B) Geolocation IS UNRELIABLE. If this had been in the wild long, the chance is very high you would have overwritten random people's systems that are in no way associated with Russia or Belarus.
I have 0 complaints about peacenotwar -- a lib that is likely used as a nuisance, but it's non-destructive, doing what it says it does and can be included or not in other projects.
As for node-ipc... I definitely (as I've said) cannot condone destroying people's systems based on geolocation. Putting a file on the system as peacenotwar does? I'd strongly prefer my libs to do exactly what I ask them to do and nothing else, but this is one of the risks people take from using a system like npm -- near-continuous updates with essentially nobody vetting the packages, or their dependencies, instead waiting until problems show up and taking care of it after the fact.
Arm chair activists are wusses. The are incredibly selfish. The did this stuff to make themselves feel better. What did he accomplish? Nothing. Well..that's not true. He's sounded the beginning of the end of open source in the corporate work place. I'm fine with this - I've said for a long time it's a serious mistake to use something controlled by small number of people in a corporate application. Angular? Sure. This one guy and his library? Hell no. Why? Because even smart people are stupid. So I sort of want to thank him for kickstarting this.
Past that...I have no use for him. What was this supposed to do? Awareness? Pretty sure everyone knows about it. Stop Russia? Yeah. Sure. So it accomplished...nothing. Zero. Nada. If anything, he has distracted people from the war. Gratz dude.
I don't really care if he had the 'right' to do this or not. I'm on the side of 'why did you trust him in the first place?'
No one will use this library or anything else he writes going forward. He will forever be the guy that is willing to sabotage millions of people's work for....essentially no reason. No one will want to hire him. He has no integrity. He cannot be trusted. That's his accomplishment.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
