This has been started on March 8 with developer Brandon Nozaki Miller, who wrote source code and published an “npm” software module called “peacenotwar.” The notes with the module claim that it serves as a nondestructive example of why controlling node modules is important and as a protest against Russia.
The peacenotwar code ended up in Vue.js CLI and herein starts the problem, since the code also has the ability to launch a destructive payload and overwrite all files of users installing the package. The original intent was for the code to overwrite files for users based in Russia and Belarus, but the code opens the door to a broader supply chain attack.
The risk this so-called “protestware” has introduced is serious, with a vulnerability a 9.8 score out of the 10-point common vulnerability scoring system, meaning it’s considered critical.
The malicious code has been found in node-ipc versions 10.1.1 and 10.1.2, its recommended to upgrade to version 10.1.3 or higher.