Developer caught adding malicious code to popular open-source package
posted Friday Mar 18, 2022 by Scott Ertz
Open-source software has become a popular part of the software development cycle. It's easy to download, easy to include in a project, and it removes a lot of the heavy lifting that you don't want or need to do. However, it also means that you, as a developer, don't have full control over what might happen with your application. This week, that problem reared its ugly head when a developer added malicious code into a popular open-source package, node-ipc, that wreaked havoc in Russia and Belarus.
A protest or an attack?
The code, which was added into the open-source package node-ipc, wiped files on computers located in Russia and Belarus. The developer who added the code claimed it was part of a protest against the Russian and Belarusian governments. Many users are outraged, not only because their files were deleted, but also because they had no warning or control over what happened.
As with many issues revolving around the Russian invasion of Ukraine, the people suffering are not necessarily involved. In this case, users of software from the open-source community is the victim of a political protest. In particular, the citizens of the two countries in question, many of whom are not involved in what's happening. In fact, they're just trying to live their lives and were hit with a major curveball
The dangers of open source
This isn't the first time that open-source software has been used to cause harm. In 2013, the OpenSSL Heartbleed bug allowed attackers to access sensitive information on servers that used vulnerable versions of OpenSSL. The bug affected millions of websites and led to a widespread loss of trust in open-source security.
In 2015, researcher Dr. Jared DeMott found over 200 backdoor accounts hidden in open source projects on GitHub. These backdoors allowed anyone with access to add, modify, or delete code in the projects.
Last year, a group of researchers from UC Berkeley found that open-source developers were being paid to insert malicious code into popular open-source projects. The code would then be used to launch attacks or steal information from companies that used the compromised open-source libraries.
The safety of open source is an important issue and one that needs to be addressed by the community. With so much open-source code in use, it's essential that developers do everything they can to keep their code safe.
What can be done?
This incident raises a lot of questions about the safety of open-source software. Is it truly safe to use? How can we trust the maintainers of these packages?
For now, it's important to be aware of the risks involved in using open-source software. Make sure you understand the code and what it does before you include it in your project. And, if possible, try to find alternatives that are maintained by a team or company that you trust.
Open-source software can be a great tool, but we need to be careful about how we use it. Otherwise, we could end up causing more harm than good.