Protestware explained: Everything you need to know

What is protestware?

Protestware is a type of software application, code library or application package a developer has manipulated to convey a message on an issue of importance and contention, such as the war in Ukraine.

Instead of an application or package performing as intended, protestware creates an unexpected action. The action could be benign, such as displaying a message or image on a given topic. Or the action could be damaging, such as restricting or removing access to software functionality or even erasing user data.

Protestware became a hot topic in 2022 following a series of changes to the node-ipc JavaScript package. Because node-ipc is necessary for the functionality of a series of other pieces of code, including the Vue.js framework for user interfaces, some security researchers initially labeled the malicious changes as a supply chain attack. While outsiders were always the culprits in past supply chain attacks, Brandon Nozaki Miller, the core developer of node-ipc, who uses the developer handle "RIAEvangelist," made the changes in protest of the war in Ukraine. Labeled peacenotwar, the code was designed to erase data if used on systems located in Russia or Belarus.

It's important to distinguish between protestware and hacktivism, which often share messaging goals but differ in execution.

In hacktivism, an attacker disrupts service in different ways, including code injection, website defacement and DDoS attacks, to voice their objection. Protestware, on the other hand, features the legitimate developer, with authorized access to code, making intentional changes in protest.

Types of protestware

While protestware's goals remain generally constant -- contention with and attention on an issue -- the methods developers use to protest vary. Primarily, protestware is either malignant or benign. Malignant protestware executes an action on a system that could be considered harmful to that system. In contrast, benign protestware is not destructive, but instructive, displaying text or an image to convey a position.

Among benign protestware types, the following are prevalent:

• Code repository banners. A developer can directly place messages of protest in a code repository in the name of a file, as the contents of a file or as an issue raised in discussion as part of the code development process. The file could be as simple as a basic readme file that includes the protest message.
• Command-line interface (CLI) logs. Developers commonly install code using the CLI, which generally includes a log of the actions taken during installation. With CLI log protestware, developers inject a protest message that displays on a user's system as part of the log.

Different types of potentially malignant protestware include the following:

• External environment code execution. Anytime unexpected code runs in a given application, there is risk. With protestware, code can identify where a user is located and redirect a user to a specific website.
• Destructive code execution. A developer injects code to erase or destroy data on a system that might be in a specific region.
• Developer sanctions. A developer blocks code from being distributed or running in a certain environment or geographic location.

Protestware threatens open source security

Protestware can occur in any software. However, because the application code for smaller, open source projects is sometimes controlled by a small group of developers, open source software is more vulnerable to protestware compared with commercial closed source software. In fact, some open source projects need only a single upset developer -- one with code commit access to a repository in GitHub -- to create protestware. Since there are often larger projects relying on smaller ones, protestware can create and then magnify supply chain risk far beyond its original, small open source project.

From the start, 2022 was a busy year for protestware in open source software. In January, developer Marak Squires modified a pair of his Node Package Manager (NPM) packages, colors and faker, into protestware displaying anti-corporate messages. NPM is a popular open source registry for JavaScript software packages.

In addition to the node-ipc JavaScript supply chain protest, Russia's invasion of Ukraine sparked the styled-components and es5-ext packages protestware incidents. Styled-components developer Evan Jacobs, who goes by the developer handle "probablyup," created a post-installation message to users in Russia and Belarus in protest of the war in Ukraine. Mariusz Nowak, under developer handle "medikoo," also authored a post-installation message to users located in Russia during the es5-ext incident.

Malignant protestware -- the node-ipc peacenotwar code in particular -- met strong opposition from leaders within the open source community. Stefano Maffulli, executive director of the Open Source Initiative, commented in a blog post that free expression and speech are critical, but it's dangerous and counterproductive to turn open source into malware that damages user systems.

"The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible," Maffulli wrote. "By extension, all of open source is harmed. Use your power, yes -- but use it wisely."

How to protect against protestware

Protestware can affect organizations in many ways, but the primary risk is a supply chain attack because of the broader group of users and applications affected. Protecting against supply chain protestware is similar to preventing supply chain attacks in general:

• Understand dependencies. A critical first step to mitigating risk from malicious protestware is recognizing areas of vulnerability. Software composition analysis and dependency scanning tools can guide organizations in determining code's requirements.
• Test first, deploy later. Using open source code without first testing and evaluating it for unexpected behavior is a risk. Test all code before it enters production to ensure it operates as expected.
• Secure commit access. Protestware can happen in larger projects too. Organizations must have access and audit control for all developers with commit access. In the event of an errant commit that includes protestware, an organization with a modern version control code repository, such as GitHub, can revert to its last acceptable version.