Don’t Trust Open-Source Software in 2022 (Or Ever?)

Posted in Software on 17 March 2022

Open-source community and the concept in general are mostly considered a good phenomena. Maintainers of the free Software are praised, as in most cases they are dedicating their own time and money to make sure the apps and modules they develop or look after can be used by the rest of the world. And they use this power to make the world a better place.

Except when they go a bit too far.

I Will Strike Down Upon Thee!

When was the last time you audited the code of the open-source Software you use on a daily basis?

Well, get used to doing that regularly from now on, since apparently RIAEvangelist, a maintainer of a popular node.js module named "node-ipc", came to a realization that he gets to decide the fate of some users' files as he recently submitted a new patch to the module which does something, that technically falls under the "malware" category: the update added new stealth functionality that would recursively go through the users' files and replace the contents of each one with the ❤️ (heart emoji) if it detected that the user was located in Russia or Belarus.

Insane IP geo patch that overwrites files

Apparently this was supposed (?) to help (?) stop (?) the on-going conflict between Russia and Ukraine? Don't ask... I don't get it either.

When called out by numerous people, the developer tried to justify (yes, really, justify!) his actions, but instead of proudly standing up for his fair and righteous beliefs went full damage-control mode, whilst desperately removing posts and discussions on the topic. This is the most active one: There's also another discussion started by the original poster to make sure RIAEvangelist wouldn't be able to alter the contents. Ultimately, the maintainer decided to force-push brand new commits, trying to sweep the fiasco under the rug. Here's the snap.

Regardless of how insane of a decision it was, the whole premise of letting a geo-location service decide the fate of the users' files is absolutely inceredible. Because, you know... IP geo-location services are known for their pin-point accuracy, so of course it would only target people of the Russian and Belorussian nationality. Right? Isn't that how IP geo-location works? Isn't it?..

The case got very soon picked up by hundreds of people (as well as some who actually lost important data!)

RIAEvangelist Twitter reports

After that, the developer urgently changed the behavior of the malicious script to not overwrite the files, but it was too late. Like way too late. Now RIAEvangelist is desperately trying to cover this up by removing comments and posts related to the issue. I made a backup of the aforementioned GitHub issue page exactly in case something like this would happen. Here it is.

The whole situation was so bad in fact, that even Unity users were affected!

Unity focum post

This in particular seems to had been caused by malicious changes in another repo the same dev is maintaining, which ended up being included with other Unity Hub files and modules. Here's a backup snapshot of that repo as well.

So Unity had to issue an urgent patch to their Hub App:

Unity hub urgent patch

A Lesson in History

Doing such malice to production assets is never OK. It can get you and a lot of other innocent people in real trouble, just like it happened in 2021 to the University of Minnesota, which got outright banned from Linux development for deliberately buggy patches, submitted by a couple of dim-wits who thought they were (somehow) doing a great good by placing millions of machines at a real risk.

University of Minnesota which banned from Linux development

Now what?

My advice: if you can help it, don't update your open-source apps, packages and dependencies in 2022, especially if they are only maintained by smaller devs without any official financial backing or regular audit. You can never be certain some lunatic doesn't decide to wipe your whole drive based just on your IP address.


He maintains a lot of packages

You may think that I'm taking it too far by openly advising not to trust any open-source Software, but this is where I stand for now.

From now on you should be very wary of what "surprises" you might be receiving together with your "free" updates. Because someday instead of new useful functionality you might end up downloading malware, which although created under false or misguided pretenses, can do real harm to your data.

The world of open-source will never be the same. What a waste!