Threat Actors Deploy 28+ Malicious Packages to Spread Protestware Scripts

Socket’s Threat Research Team has discovered a network of at least 28 malicious packages including protestware scripts, totaling approximately 2,000 copies, in a major escalation within the npm supply chain.

These packages, initially flagged in two instances for hidden functionality targeting Russian-language users on Russian or Belarusian domains, have proliferated across the ecosystem.

The protestware, classified under Socket’s alert system, disrupts user interface interactions by disabling mouse events and initiating playback of the Ukrainian national anthem, effectively rendering affected web pages non-functional for specific users.

This development highlights the risks of code reuse in open-source repositories, where undisclosed payloads can cascade through dependencies, amplifying potential impacts on downstream applications.

Discovery of Widespread Protestware

The malicious code manifests as a deeply embedded snippet within packages often exceeding 100,000 lines of code, typically positioned toward the end for obfuscation.

It employs a multifaceted conditional check: verifying the execution ...