Two npm packages, @link-loom/ui-sdk and @link-loom-react-sdk, contain protestware that disables UI interaction and plays the Ukrainian national anthem on loop for Russian-language users visiting Russian or Belarusian domains. This undisclosed functionality affected multiple versions and was later removed in newer releases. #linkloom #protestware
Keypoints
- Two npm packages by the same author, @link-loom/ui-sdk (versions 1.0.6 to 1.0.99) and @link-loom-react-sdk (versions 1.0.100 to 1.0.151), contain hidden protestware targeting Russian-language users on Russian or Belarusian domains.
- The protestware disables all mouse interactions on affected webpages and plays the Ukrainian national anthem on repeat after three days since the user’s last visit.
- This functionality triggers only if the user’s browser language is set to Russian and they visit specific domains, including .ru, .su, .by, and the Cyrillic .рф domain.
- @link-loom/ui-sdk is deprecated and renamed to @link-loom-react-sdk; the hidden protestware was removed after version 1.0.151 in the newer package.
- Socket’s analysis highlights the importance of carefully reviewing open source dependencies as protestware can cause disruptive behavior in software without clear documentation.
- The developer maintains several other projects and has recently made updates in related GitHub repositories, but the protestware is only present in specific package versions.
- Socket recommends using its security tools to detect unexpected or malicious behavior early in the development process to prevent integration of protestware or malicious code.
MITRE Techniques
- [T1491.001] Defacement: Internal Defacement – The protestware disables user interaction on webpages for targeted users. (“document.body.style.pointerEvents = ‘none’; disables all mouse-based interaction on the page”)
- [T1499] Endpoint Denial of Service – The webpage becomes unresponsive to mouse inputs, effectively denying service to the user. (“Elements of the page will ignore clicks, hovers, scrolls, and more”)
- [T1140] Deobfuscate/Decode Files or Information – The hidden functionality was concealed within 100,000+ lines of code making it difficult to detect without thorough review. (“If you’re not reviewing every line of code, it would be easy to miss this.”)
- [T1082] System Information Discovery – The package checks the browser language (“navigator.language”) and domain to determine if the target conditions are met. (“/^rub/.test(navigator.language) & location.host.match(/.(ru|su|by|xn--p1ai)$/)”)
Indicators of Compromise
- [Package Names] protestware presence – @link-loom/ui-sdk (versions 1.0.6 through 1.0.99), @link-loom/react-sdk (versions 1.0.100 through 1.0.151)
- [File Names] modules containing protestware – ui-sdk.cjs.js, react-sdk.cjs.js
Read more: https://socket.dev/blog/protestware-on-npm-targets-russian-language-sites