Browse Definitions :

Getty Images/iStockphoto

Feature

Protestware explained: Everything you need to know

Developers use protestware technology to drive points home; some arrives as messages of defiance, others with malicious intent.

Sean Michael Kerner
By
Published: 08 May 2023

Following the invasion of Ukraine by the Russian Federation in 2022, democratic governments around the world -- with many of their citizens horrified by Russia's aggression -- sanctioned the former superpower. The invasion also resulted in a long list of commercial technology vendors that withdrew services from Russia.

But separately, independently and perhaps most forcefully of all, software developers took action to oppose the war. Protestware emerged as their weapon of choice.

What is protestware?

Protestware is a type of software application, code library or application package a developer has manipulated to convey a message on an issue of importance and contention, such as the war in Ukraine.

Instead of an application or package performing as intended, protestware creates an unexpected action. The action could be benign, such as displaying a message or image on a given topic. Or the action could be damaging, such as restricting or removing access to software functionality or even erasing user data.

Protestware became a hot topic in 2022 following a series of changes to the node-ipc JavaScript package. Because node-ipc is necessary for the functionality of a series of other pieces of code, including the Vue.js framework for user interfaces, some security researchers initially labeled the malicious changes as a supply chain attack. While outsiders were always the culprits in past supply chain attacks, Brandon Nozaki Miller, the core developer of node-ipc, who uses the developer handle "RIAEvangelist," made the changes in protest of the war in Ukraine. Labeled peacenotwar, the code was designed to erase data if used on systems located in Russia or Belarus.

It's important to distinguish between protestware and hacktivism, which often share messaging goals but differ in execution.

In hacktivism, an attacker disrupts service in different ways, including code injection, website defacement and DDoS attacks, to voice their objection. Protestware, on the other hand, features the legitimate developer, with authorized access to code, making intentional changes in protest.

Types of protestware

While protestware's goals remain generally constant -- contention with and attention on an issue -- the methods developers use to protest vary. Primarily, protestware is either malignant or benign. Malignant protestware executes an action on a system that could be considered harmful to that system. In contrast, benign protestware is not destructive, but instructive, displaying text or an image to convey a position.

Among benign protestware types, the following are prevalent:

  • Code repository banners. A developer can directly place messages of protest in a code repository in the name of a file, as the contents of a file or as an issue raised in discussion as part of the code development process. The file could be as simple as a basic readme file that includes the protest message.
  • Command-line interface (CLI) logs. Developers commonly install code using the CLI, which generally includes a log of the actions taken during installation. With CLI log protestware, developers inject a protest message that displays on a user's system as part of the log.

Different types of potentially malignant protestware include the following:

  • External environment code execution. Anytime unexpected code runs in a given application, there is risk. With protestware, code can identify where a user is located and redirect a user to a specific website.
  • Destructive code execution. A developer injects code to erase or destroy data on a system that might be in a specific region.
  • Developer sanctions. A developer blocks code from being distributed or running in a certain environment or geographic location.

Protestware threatens open source security

Protestware can occur in any software. However, because the application code for smaller, open source projects is sometimes controlled by a small group of developers, open source software is more vulnerable to protestware compared with commercial closed source software. In fact, some open source projects need only a single upset developer -- one with code commit access to a repository in GitHub -- to create protestware. Since there are often larger projects relying on smaller ones, protestware can create and then magnify supply chain risk far beyond its original, small open source project.

From the start, 2022 was a busy year for protestware in open source software. In January, developer Marak Squires modified a pair of his Node Package Manager (NPM) packages, colors and faker, into protestware displaying anti-corporate messages. NPM is a popular open source registry for JavaScript software packages.

In addition to the node-ipc JavaScript supply chain protest, Russia's invasion of Ukraine sparked the styled-components and es5-ext packages protestware incidents. Styled-components developer Evan Jacobs, who goes by the developer handle "probablyup," created a post-installation message to users in Russia and Belarus in protest of the war in Ukraine. Mariusz Nowak, under developer handle "medikoo," also authored a post-installation message to users located in Russia during the es5-ext incident.

Malignant protestware -- the node-ipc peacenotwar code in particular -- met strong opposition from leaders within the open source community. Stefano Maffulli, executive director of the Open Source Initiative, commented in a blog post that free expression and speech are critical, but it's dangerous and counterproductive to turn open source into malware that damages user systems.

"The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible," Maffulli wrote. "By extension, all of open source is harmed. Use your power, yes -- but use it wisely."

How to protect against protestware

Protestware can affect organizations in many ways, but the primary risk is a supply chain attack because of the broader group of users and applications affected. Protecting against supply chain protestware is similar to preventing supply chain attacks in general:

  • Understand dependencies. A critical first step to mitigating risk from malicious protestware is recognizing areas of vulnerability. Software composition analysis and dependency scanning tools can guide organizations in determining code's requirements.
  • Test first, deploy later. Using open source code without first testing and evaluating it for unexpected behavior is a risk. Test all code before it enters production to ensure it operates as expected.
  • Secure commit access. Protestware can happen in larger projects too. Organizations must have access and audit control for all developers with commit access. In the event of an errant commit that includes protestware, an organization with a modern version control code repository, such as GitHub, can revert to its last acceptable version.

Dig Deeper on Security management

Networking
  • subnet (subnetwork)

    A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP ...

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard protocol on the internet that ensures the reliable transmission of data between...

  • secure access service edge (SASE)

    Secure access service edge (SASE), pronounced sassy, is a cloud architecture model that bundles together network and cloud-native...

Security
  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

  • digital signature

    A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or...

  • What is security information and event management (SIEM)?

    Security information and event management (SIEM) is an approach to security management that combines security information ...

CIO
  • product development (new product development)

    Product development -- also called new product management -- is a series of steps that includes the conceptualization, design, ...

  • innovation culture

    Innovation culture is the work environment that leaders cultivate to nurture unorthodox thinking and its application.

  • technology addiction

    Technology addiction is an impulse control disorder that involves the obsessive use of mobile devices, the internet or video ...

HRSoftware
  • organizational network analysis (ONA)

    Organizational network analysis (ONA) is a quantitative method for modeling and analyzing how communications, information, ...

  • HireVue

    HireVue is an enterprise video interviewing technology provider of a platform that lets recruiters and hiring managers screen ...

  • Human Resource Certification Institute (HRCI)

    Human Resource Certification Institute (HRCI) is a U.S.-based credentialing organization offering certifications to HR ...

Customer Experience
  • contact center agent (call center agent)

    A contact center agent is a person who handles incoming or outgoing customer communications for an organization.

  • contact center management

    Contact center management is the process of overseeing contact center operations with the goal of providing an outstanding ...

  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...

Close