After the millions of weekly downloads of the npm package "node-ipc" poisoned the supply chain in the name of anti-war , another developer added anti-war elements to the code. On March 17th, Russian developer Viktor Mukhachev (aka Yaffle ) added an interesting piece of code to his popular npm library "event-source-polyfill" . This code, introduced in version 1.0.26, means that applications built with this library will display an anti-war message to Russian users 15 seconds after startup.
Polyfill packages can implement existing JavaScript functionality on unsupported web browsers. Hence, the protagonist of this article: The event-source-polyfill package extends Firefox's "EventSource" API to other web browsers. Currently, this package is used by over 135,000 GitHub repositories and downloaded over 600,000 times a week on npm.
Unlike "node-ipc"'s aggressive style of cleaning Russian users' hard drives, the "event-source-polyfill" app doesn't delete any data or break the app, but instead uses a text box notification urging Russia to end its "Unreasonable invasion" of Ukraine and exhort Russian civilians to beware of "one-sided" news and to seek reliable news sources such as the BBC's Tor website (...). The last line of code also directs the user to the Change.org anti-war petition after the textbox notification ends .
What's interesting is that in the last "node-ipc" package poisoning incident, netizens overwhelmingly condemned the node-ipc author, saying it was a "huge damage" to the credibility of the entire open source community. In contrast, although the malicious code of the new version of the event-source-polyfill package has also sparked intense discussions , many people support the author, thinking it is "just code", and the two sides further launched a battle on GitHub debate .
"For some, it's malware, and for some in Russia, it could be valuable information and helpful."
"To me, sabotage means that the intent of the act is to defeat the original purpose of the project. The act seems inconsistent with the original purpose of the project, so it's vile, but it's not really sabotage."
It is not my intention to judge whether the act is good or evil. This anti-war petition may be a heroic event for some . However, adding content unrelated to the functionality of open source software without the user's knowledge is still essentially a form of poisoning. This incident further undermines the trustworthiness and reliability of open source libraries in a time when npm problems are frequent.
Secretly adding some anti-war elements to the code will always do more harm than good.
Further reading: