Have you heard of protestware? Researchers have been tracking the so-called protestware projects across GitHub with recently added code that displays “Stand with Ukraine” messages. The same researchers are also tracking several code packages, recently modified to delete files on computers that most likely originate from Russian or Belarussian internet addresses.
Protestware Projects on GitHub
This shared researchers’ effort is being crowdsourced via Telegram, says security expert Brian Krebs. However, the “output of the Russian research group is centralized in a Google Spreadsheet that is open to the public.” The majority of the GitHub repositories tracked include relatively harmless components, such as messages showing support for Ukraine, and statistics about the war with links to more information on the Deep Web.
According to Alex Holden, a native Ukranian behind the Milwaukee-based cyber intelligence firm Hold Security, the real trouble is when protestware is included in code packages that get automatically fetched by many third-party software products. The researcher shared that some of the code projects tracked by the Russian research group are maintained by Ukrainian software developers.
The Trust in Open-Source Projects Is Now Gone
Others say that the Pandora box is now opened, and the trust in open-source projects is now completely destroyed. As pointed out by GitHub user nm17, now everybody is realizing that “their library/application can possibly be exploited to do/say whatever some random dev on the internet thought ‘was the right thing they to do.’ Not a single good came out of this ‘protest.’”