A maintainer has been criticized\u00a0for creating a poisonous open-source npm program that can erase the hard drives of computers located in Russia and Belarus.<\/p>\n
The open-code npm source-code package called peacenotwar was written by Brandon Nozaki Miller, JavaScript’s package manager maintainer RIAEvangelist.<\/p>\n
The package has a 9.8 severity rating. It is tracked as CVE-2022-23812. It contains malicious code that targets users with IP located in Russia or Belarus and overwrites their files with a heart emoji.<\/p>\n
Miller initially wrote the code to protest Russia’s invasion of Ukraine. However, other capabilities were added and soon, the code started destroying computers’ file systems.<\/p>\n
Liran Tal, the Snyk researcher who uncovered the problem explain that such action could result in the maintainer not being trusted again.<\/p>\n
“Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?” Tal said.<\/p>\n