Newly discovered open source npm packages contain postinstall scripts that broadcast peace messages related to conflicts, illustrating a persistent supply chain risk in open source software. Although these protestware instances are not inherently malicious, they show how widely used projects can be subtly altered to influence users, underscoring the need for deeper scrutiny of dependencies and postinstall behavior. #e2eakarev #es5-ext #sweater-comb #SignalMessengerWindows #AnonymousProtester
Keypoints
- Protestware packages on npm embed postinstall scripts that display political messages after installation.
- These messages are not necessarily malicious but reveal a real software supply chain risk in open source ecosystems.
- Notable examples include e2eakarev and es5-ext–based sweater-comb, which tailor messages by geography or context.
- The reach of protestware is broad, with widely used packages like Signal components potentially affected.
- Organizations should adopt deeper dependency scrutiny and modern software supply chain security tools to detect such behavior.
MITRE Techniques
- [T1195] Supply Chain Compromise – Attackers insert protestware during package distribution on npm to influence users. ‘Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts when they are deployed.’
- [T1059] Command and Scripting Interpreter – Postinstall scripts run after installation to perform actions. ‘index.js, which checks to see if the package is being launched in Israel.’
- [T1082] System Information Discovery – The postinstall script attempts to determine the geographic location of the host. ‘the postinstall script, _postinstall.js, which attempts to determine the geographic location of the host.’
Indicators of Compromise
- [File Name] context – e2eakarev (7.1.0), sweater-comb (2.1.1)
- [SHA1] context – a509f299c5a76ac0c91f9bfdd333cc367ce17dfa, b76ec90d7e1ae59b108b62ee8f8979a98b99da28
Read more: https://www.reversinglabs.com/blog/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza