Gregory's Server"Select versions of the massively popular 'node-ipc' package were caught containing malicious code that would overwrite or delete arbitrary files on a system for users based in Russia and Belarus"
Do not do this
 33 comments
 @Gargron I think the real problem here is that it is *possible* to do this in the first place. So many package managers are absolute security nightmares on every level. @Gargron fuck fuck FUCK people really need to knock it off with this poorly thought through performative shit. Ticket removed from github, but it links here now: https://snippet.host/kvcb  You're Russian, right ? @Iutech I try not to give too many personal details away online. So I’m afraid i can’t give you a satisfying answer. I understand, and thank you for replying anyway.  Modern software development is such a mess. How did we come to networked dependency managers downloading and executing untrusted code with no sandboxing without user consent being the norm? These used to be called RCE vulnerabilities. There need to be technical measures against this stuff. Or better yet: avoid networked dependency managers if you can. Treat every dependency like a liability it is. ruff, this is pure vandalism, not a protest. Do protest. Don't vandalize stuff. That simple.  ruff, you aren't making any sense. Please answer this simple question: how exactly a piece of malware unleashed upon innocent people is an act of protest? ruff, it's a fun assumption that Russian military uses computers at all. > "shit happens" and learn the lesson (not to use npm)  @grishka i'm not defending the nmp maintainer here... just pointing out that the rather manipulative game of looking for holes in one's logic you're playing here can be turned both ways.  Something is really messed up in your head 🤦♂️ I hope that it's only a side-effect of emotions and not your everyday thinking process. Let's say your family was shot by some African American. Now you're going to set a bunch of African American houses on fire because some of them MAY be SOMEHOW related to that. Sounds like a solid plan, yeah? ruff, this isn't "my" president. I didn't elect him. I'm as ashamed of him as everyone else but there's nothing I personally can do to help this situation. @ruff @grishka I mean this would probably work on general public, but looks like we have people who are able to think critically in this thread. I hope that someday you'll understand that this is the way to fool yourself and not to "defeat" your "opponent". @ruff Protesting the war is fine, but protesting the war in the west is also completely performative. Putin won’t change his plans because somebody in the west went to a rally or a celebrity recorded a touching message. Turning your software package into malware that targets Russian civilians is pointless cruelty. They have no say over this war either, and it will hit the ones that are against it just as much. It already hit an NGO that documents Russian war crimes. It gets worse. Here's a list of related open-source "performances": https://docs.google.com/spreadsheets/d/1H3xPB4PgWeFcHjZ7NOPtrcya_Ua4jUolWm-7z9-jSpQ/htmlview#  |
@Gargron "We hate your government, not you. So we're going to screw you over just for being in a specific place."