Threat Actors Weaponize Over 28 Packages to Distribute Protestware Scripts

The use of so-called “protestware” scripts has significantly increased throughout the npm open-source ecosystem in recent years, according to Socket’s Threat Research Team.

Initially found in two packages earlier this year, this protestware originally designed to disrupt user experience for Russian-language users accessing Russian or Belarusian sites has now been traced to at least 28 distinct npm packages, with almost 2,000 affected versions.

The proliferation appears largely unintentional, highlighting acute risks in the global software supply chain.

Protestware Embedded

The technical functionality of the protestware remains consistent with the version first identified in SweetAlert2, a popular JavaScript library replacement for pop-up dialogs, boasting over 700,000 weekly downloads.

Embedded deep within typically voluminous codebases, the protestware logic is activated when three strict criteria are satisfied: the user is detected to be in a browser environment, their browser language is set to Russian, and they are visiting a domain associated with Russia or Belarus (including .ru, .su, .by, or .рф TLDs).

If all conditions are met, after a short delay and only for repeat visitors, the script disables all mouse-driven interaction on the page and loops the Ukrainian national anthem.

Notably, the infection window is designed for persistence, as it uses the browser’s localStorage to ensure that its effects only occur after an initial three-day waiting period, thereby targeting repeat and presumably deliberate visitors to such domains.

While SweetAlert2’s maintainer, limonte, has openly acknowledged the presence of this protestware in the project’s documentation since early 2022, in response to Russia’s invasion of Ukraine, the same cannot be said for the numerous other packages now identified as carriers.

These secondary packages, often maintained by entirely different authors and focused on diverse functionalities from table components and validation logic to user interface libraries have exhibited near-identical snippets, filenames, and structures copied from SweetAlert2.

In most cases, these maintainers provide no public disclosure or warning regarding the embedded protestware, raising concerns over transparency and user consent.

Unintentional Supply Chain Propagation

The ongoing spread has been facilitated through a pattern typical of supply chain attacks: as developers incorporated code or dependencies from SweetAlert2, the protestware code was inadvertently propagated into their own releases.

For widely downloaded packages such as meshcentral, coone-annotation-tool, qumra-ui, and others, this has meant that thousands of users may have deployed protestware-laden scripts in their own environments, often unaware of the code’s true intent.

The set of targeted users is somewhat restricted by the script’s logic, specifically aiming at individuals with Russian browser settings who are accessing sanctioned state or national domains.

According to Socket Report, this approach limits collateral damage, ensuring casual or accidental visits do not trigger the disruptive payload.

However, given the global distribution of Russian speakers not only in Russia and Belarus, but also in nations like Kazakhstan and parts of Ukraine there remains potential for overreach or unintended impact.

The scale and stealth of this propagation have reignited debates around protestware, ethics in open source, and the responsibilities of developers and maintainers.

With the protestware code now actively circulating sometimes undisclosed across dozens of libraries, the incident demonstrates how politically motivated disruptions can rapidly metastasize within the modern software supply chain, presenting operational and reputational risks to unsuspecting downstream users.

The incident underscores a critical need for vigilance, transparency, and far-reaching audits across dependency chains in the npm ecosystem and beyond.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates