A sophisticated protestware campaign is actively targeting Russian and Belarusian internet users through a network of compromised npm packages. Threat actors have weaponized at least 28 new packages, containing nearly 2,000 versions of malicious code, to distribute politically motivated malware. This campaign represents a significant escalation in supply chain attacks, leveraging JavaScript package repositories to disrupt user interactions on targeted websites.
The malware operates through a complex conditional framework, specifically activating for users with Russian browser language settings who visit domains with extensions such as .ru, .by, .su, and .рф.
Once these conditions are met, the protestware disables all mouse-based interactions on affected websites and plays the Ukrainian national anthem on a loop, effectively rendering the sites unusable for the targeted demographic.
Socket.dev analysts identified the widespread distribution of this protestware, tracing its origins to unintentional supply chain contamination through the popular SweetAlert2 library. Developers unknowingly copied infected code from SweetAlert2 into their own packages, leading to the malicious code’s propagation across various affected packages, including UI component libraries and specialized development tools. Many of these packages contain over 100,000 lines of code, with the malicious payload strategically hidden deep within the codebase to evade detection during routine code reviews.
To ensure long-term impact and avoid immediate detection, the protestware employs sophisticated persistence tactics. It utilizes browser localStorage to track user visits and implements a three-day delay mechanism before payload activation, establishing persistence without triggering immediate suspicion. The core implementation relies on multi-layered conditional checks, verifying the browser environment, language settings, and targeted domains.
After satisfying all conditions and the three-day timer expires, the malware executes its payload by disabling mouse interactions and playing the Ukrainian national anthem from an external server. The persistence mechanism stores an initiation timestamp in localStorage, calculating the elapsed time since the first visit to ensure repeat users experience the full protestware impact while minimizing collateral damage to casual visitors.
Reference:
