Socket’s Threat Research Team discovered that multiple npm packages contain protestware targeting Russian-language users on Russian or Belarusian domains by disabling UI interactions and playing the Ukrainian national anthem. This protestware originated from the SweetAlert2 package and has unintentionally propagated across numerous other packages without disclosure. #SweetAlert2 #Protestware #SocketThreatResearchTeam
Keypoints
- Protestware code disables mouse interactions and plays the Ukrainian anthem for users with Russian language settings visiting Russian or Belarusian domains.
- The original protestware was embedded in the popular SweetAlert2 npm package since version 11.6.14 released three years ago.
- At least 28 other npm packages have been found containing the same protestware code, often without any disclosure or documentation.
- This widespread reuse suggests unintentional supply chain propagation of protestware through copied code from SweetAlert2.
- The protestware only activates after a user visits a targeted domain more than once within a few days, reducing accidental impact.
- Socket marked these packages as malware due to the unexpected disabling of user interactions impacting user experience.
- Socket recommends using their security tools to detect such hidden functionality early in development workflows.
MITRE Techniques
- [T1491.001] Defacement: Internal Defacement – The protestware disables user interactions on targeted websites, effectively defacing normal functionality. (“document.body.style.pointerEvents = ‘none’;”)
- [T1499] Endpoint Denial of Service – By blocking UI interactions, the affected users experience a denial of service at the endpoint level. (“disable all mouse-based interaction on the page”)
- [T1140] Deobfuscate/Decode Files or Information – Complex if statement logic is used to identify and target users based on language and domain before activating payload. (“if (typeof window !== ‘undefined’ && /^rub/.test(navigator.language) && location.host.match(/.(ru|su|by|xn--p1ai)$/))”)
- [T1082] System Information Discovery – The script checks browser language settings and the visited domain to identify target users. (“navigator.language”, “location.host”)
Indicators of Compromise
- [File Name] npm packages containing protestware – sweetalert2 versions 9.17.3, 11.6.6, 11.6.14 to 11.22.2; starlawfirm-counsel-function-test; falcon-library-comp; vristo-components, and others listed with various versions.
- [Domain] Targeted domains – .ru, .su, .by, and .рф domains (Russian and Belarusian sites) where the protestware activates.
- [Audio Source URL] Payload plays Ukrainian anthem from – https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3