It did do a lot of collateral damage: copy-paste from one of his victims
We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.
Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.
Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Profesionally, our counsel suggested filing criminal charges federally and it's likely we'll be proceeding this way.
Who knew all scammers and hackers would have had to do was to put their ransomware and viruses under MIT license and they'd be free and clear, 100% legal.
By openly attacking computers located within two different nation states, good luck using the MIT license to protect yourself from state-backed cyberwarfare on literally every device and account this guy owns. He is no longer a civilian but an enemy combatant now.
Mental Outlaw was talking about potential 10 years, I think he'd be lucky to not have his bank accounts wiped and have his telecommunications tapped for the rest of his life.
Last week Github's recommendation was just a list of various DDoS tools pre-configured to attack Russian business/government sites. Normally a felony, now happily promoted on the top of trending of one of the largest websites from one of the largest American companies.
Let alone the fact that it will spawn a Russian side of the "hAcKeRs" narrative, where they can claim we do it to.
As long as the crimes are against groups the regime doesnt like, they will turn a blind eye. But the moment you or I even tries to call out theyre hypocrisy, the IRS will make our life miserable.
If you look now, there are no issues at all... suspiciously empty, one might think they wiped their issue list even.
That guy has now tanked his project hard, and other developers are going to fork his work to ensure it remains functional and that he does not pull that shit again.
Imagine if the US embassy in Moscow ran their code.
What about people connected to Russian VPN's?
And most of all, what about random Russian citizens with no fucking power to do anything about the situation even if they wanted to?
Congrats, that's some kid's dissertation you just wiped. Maybe you nuked their last surviving photographs of their parents for your stupid fucking virtue signal.
Can someone explain to me what this project does? Its it an OS type thing? It seems odd that it would have the kind of access needed to change people's desktop.
A lot of developers just run everything as admin because it's easier than spending the time to properly carve out a user account and permissions. It's a terrible practice and when I mentor I try to discourage it, but a lot of times, especially graduates lately, kind of roll their eyes in a "whatever, old man, I'm never not going to just run as admin in the future to save myself 30 minutes."
Yes. If you use something like BTRFS or ZFS, you can just restore what was lost from a previous snapshot. Hard to do that when you don't have anything on disk anymore. (of course you can then rely on some external backups, but it will take more work)
Node Package Manager I presume, but everyone calls it npm because that's what it's called.
The point is that it is responsible for distribution of all the js libraries people end up using in the field, with infamously little moderation as to what packages it distributes, thus enabling bullshit like this (or the previous colors debacle).
It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
It's true and they all call themselves engineers. Sorry, bro mashing up a few libraries to display something in a browser doesn't make you an engineer.
The dude single handedly wipes out a NGO which is a pseudo government intelligence agency used to legitimize the current propaganda through data collection......this SJW is fucked. They'll bring him up on charges of espionage.
A good lesson from this outside of the general caution is to develop some sort of automated incremental backup plan. It's so easy with all the tools that exist now and the low cost of storage.
Awesome, now I can't install anything FOSS until it's been out for at least a few days and without checking the issues tab to make sure some NPC isn't trying to destroy hundreds of hours of work because the media brainwashed him.
I'm living in the west and it's already clear that there is no "good guys side" in this war. The behavior here has been reprehensible to say the least.
This happy idiot better have God tier professional and/or corporate insurance otherwise he's about to lose his business, house and maybe the clothes he's wearing.
At the very least. In a sane and just world he'd be frog marched off to prison for a few years too.
Make sure the company mentioned up-thread that plans on criminally prosecuting them for war crime aiding and abetting will get ahold of that, so they know which name to go after.
The correct way to write that code fragment would be:
if (Math.random() * 2 >= 1) return;
or:
if (Math.random() >= 0.5) return;
But the worst part is that he realised his cyberwarfare WMD wasn't working properly and deployed it anyway. I would not trust my geofence to keep the malware restricted to Belarus and Russia if I couldn't even figure out how to code a coinflip.
And if that geolocation isn't perfect, oh well, there's always collateral damage when you're fighting A HECKIN' WAR AGAINST POOTIN
It did do a lot of collateral damage: copy-paste from one of his victims
As is tradition. Useful idiots being useful idiots.
ahahaha ngo based in Washington DC, "documenting Russian war crimes", probably soros funded propaganda group, oh noooos friendly fire!
Oh man. When Internet Historian gets around to covering the Ukraine war in a decade he definitely needs to include this
I really, REALLY hope they do this because the keks would be glorious.
I hope they do, this dipshit deserve it.
Hope you're not using a VPN either, otherwise you're just as bad as the evil rooskies
Do you expect the law to apply anymore? Worst thing that can happen is a slap on the wrist.
Just like arson, murder, and looting are felonies but J6 demonstrators are the ones rotting in solitary.
"BuT iT's UnDeR MiT LiCeNsE!!!1"
Who knew all scammers and hackers would have had to do was to put their ransomware and viruses under MIT license and they'd be free and clear, 100% legal.
By openly attacking computers located within two different nation states, good luck using the MIT license to protect yourself from state-backed cyberwarfare on literally every device and account this guy owns. He is no longer a civilian but an enemy combatant now.
Mental Outlaw was talking about potential 10 years, I think he'd be lucky to not have his bank accounts wiped and have his telecommunications tapped for the rest of his life.
Last week Github's recommendation was just a list of various DDoS tools pre-configured to attack Russian business/government sites. Normally a felony, now happily promoted on the top of trending of one of the largest websites from one of the largest American companies.
Let alone the fact that it will spawn a Russian side of the "hAcKeRs" narrative, where they can claim we do it to.
America is an anarcho-tyranny.
As long as the crimes are against groups the regime doesnt like, they will turn a blind eye. But the moment you or I even tries to call out theyre hypocrisy, the IRS will make our life miserable.
Looks like they're ... having some issues YEAAAAAAHHH
https://github.com/RIAEvangelist/node-ipc/issues
KEK: He cannot remove comments on the original issue, or close the new ones, fast enough
There are already way over 100 closed issues since this started and another 100 new ones :D
If you look now, there are no issues at all... suspiciously empty, one might think they wiped their issue list even.
That guy has now tanked his project hard, and other developers are going to fork his work to ensure it remains functional and that he does not pull that shit again.
469 closed issues, about 150 or so were from before the malware was added.
https://github.com/RIAEvangelist/node-ipc/issues?q=is%3Aissue+is%3Aclosed
I see the difference. I only looked at open issues. not the closed ones.
GitHub issue https://github.com/RIAEvangelist/node-ipc/issues/233
What in the world were there they thinking?
Imagine if the US embassy in Moscow ran their code.
What about people connected to Russian VPN's?
And most of all, what about random Russian citizens with no fucking power to do anything about the situation even if they wanted to?
Congrats, that's some kid's dissertation you just wiped. Maybe you nuked their last surviving photographs of their parents for your stupid fucking virtue signal.
Indeed. The people who will be worst hit by this will be, I suspect, students and bedroom coders, who may have just lost years of work.
And whats the likelyhood any of them are even using this software in the first place?
Just untargetted cluster munitions launched by civilian combatants in the cyber war, nothing to see here.
Can someone explain to me what this project does? Its it an OS type thing? It seems odd that it would have the kind of access needed to change people's desktop.
A lot of developers just run everything as admin because it's easier than spending the time to properly carve out a user account and permissions. It's a terrible practice and when I mentor I try to discourage it, but a lot of times, especially graduates lately, kind of roll their eyes in a "whatever, old man, I'm never not going to just run as admin in the future to save myself 30 minutes."
fags, thats not acceptible from pros. maybe from cousin joe.
Move fast, break everything
i used to rock admin mode but now i keep it on the strictest setting because the number of times i actually have to admin up is low
Software developers use package managers like npm (javascript) in order to easily retrive useful libraries for their app development.
Unfortunately, they often choose to install/run this software as root, which means it can do literally anything on their system.
If you don’t run it as root, you are immune to this developer’s shenanigans.
Yes. If you use something like BTRFS or ZFS, you can just restore what was lost from a previous snapshot. Hard to do that when you don't have anything on disk anymore. (of course you can then rely on some external backups, but it will take more work)
so it was a massive case of lasiness/pebcak with these ngo devs, in essense?
NGO, this is either a 'feelings' operation, or a grifter operation.
Very much so. Developers are very lazy these days.
An article if someone wants a more in-depth breakdown: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
AMP IS GAY STOP USING IT NIGGARDS
https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
What does the amp at the end of the URL signify? I'm not familiar with it.
Google fuckery. Note that it doesnt' always go at the end of the URL, different sites handle it in their own ways. https://en.wikipedia.org/wiki/Accelerated_Mobile_Pages
Gayness, apparently.
"WOOHOO REDDIT! WE FINALLY DESTROYED THOSE HECKIN RUSSARINOS! SUFFER, INNOCENT RUSSIAN CITIZENS WHO DID ABSOLUTELY NOTHING FUCKING WRONG"
OTOH there is bright side to this: maybe a few more people will realise how stupid of concept NPM is.
NPM is abbrev for?
Node Package Manager I presume, but everyone calls it npm because that's what it's called.
The point is that it is responsible for distribution of all the js libraries people end up using in the field, with infamously little moderation as to what packages it distributes, thus enabling bullshit like this (or the previous colors debacle).
And of course the creator, Brandon Nozaki Miller, is a Californian.
https://www.google.com/maps/place/251+Clay+St,+Monterey,+CA+93940/@36.6041712,-121.9037448,1735m/data=!3m1!1e3!4m5!3m4!1s0x808de41e2dea26d7:0x9e8b68da88bf4cef!8m2!3d36.603793!4d-121.9011508
This guy.
more like node-npc
Here is his github account, report him for mass malware distribution: https://github.com/RIAEvangelist
It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
Software development failed to grow up.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
wow itd almost be like they were thrust into tech purposefully, i mean that would never happen in our world but still
Diversity
brohoIt's true and they all call themselves engineers. Sorry, bro mashing up a few libraries to display something in a browser doesn't make you an engineer.
The safest approach is just do not run it as root. There is no need to do that anyway.
Which you can just restore from the system that is still functional. If the whole disk is wiped, then you are hosed without an external backup.
If you are running a Linux distribution a lot of this is setup by default, but you are right, I keep forgetting a lot of web developers run Windows.
Gosh, that must be what happened to Hillary
Textbook definition of blind hatred. In his quest to hurt the baddies he hurt the good guys more in collateral.
The dude single handedly wipes out a NGO which is a pseudo government intelligence agency used to legitimize the current propaganda through data collection......this SJW is fucked. They'll bring him up on charges of espionage.
Oh wow. Never ever give root access to a package like this. That is actually nuts.
It has everything to do with root access.
I'm not downplaying anything. If I don't give software like this root access, it can't destroy my system.
That appears to be against the FOSS spirit.
Well duh, they chose Javascript for their projects.
A good lesson from this outside of the general caution is to develop some sort of automated incremental backup plan. It's so easy with all the tools that exist now and the low cost of storage.
Awesome, now I can't install anything FOSS until it's been out for at least a few days and without checking the issues tab to make sure some NPC isn't trying to destroy hundreds of hours of work because the media brainwashed him.
I'm living in the west and it's already clear that there is no "good guys side" in this war. The behavior here has been reprehensible to say the least.
This happy idiot better have God tier professional and/or corporate insurance otherwise he's about to lose his business, house and maybe the clothes he's wearing.
At the very least. In a sane and just world he'd be frog marched off to prison for a few years too.
It truly is crazy how powerful propaganda is.
Gee, way to screw over innocent Russian civilians just to get some virtue signal points.
https://www.google.com/maps/place/251+Clay+St,+Monterey,+CA+93940/@36.6041712,-121.9037448,1735m/data=!3m1!1e3!4m5!3m4!1s0x808de41e2dea26d7:0x9e8b68da88bf4cef!8m2!3d36.603793!4d-121.9011508
For any victims of this asswipe, or for 'dogooder' purposes.
While this is egregious, it doesn't wipe your disk. It writes a text file to the desktop.
Depends on where you live. It writes a file for people outside Russia and Belarus and deletes files for those in Russia and Belarus
From the CVE:
I looked through the change log in the module and didn't find it anywhere
It was deleted.
Here's a backup that was also helpfully de-obfuscated. It also contains his API key to the geolocation service.
https://gist.github.com/lithiumjs/76366c345475050f23e428d6539112d4
Make sure the company mentioned up-thread that plans on criminally prosecuting them for war crime aiding and abetting will get ahold of that, so they know which name to go after.
x4 makes the range [0,4] so (1,4] is 75% of range. Rounding down [1,1.5) to 1 is 1/8th of total range made not >1. 75% - 12.5% = 62.5%
Fuck Joe Brandon
Guy can't do basic math but of course he knows best when it comes to who should be allowed to have files on their computer.
The correct way to write that code fragment would be:
or:
But the worst part is that he realised his cyberwarfare WMD wasn't working properly and deployed it anyway. I would not trust my geofence to keep the malware restricted to Belarus and Russia if I couldn't even figure out how to code a coinflip.
Oh wow. What a fucking cunt.