I wanted to note this new trend – protestware. What’s that? Developers deliberately sabotage their own software libraries to protest — turning software into “protestware.” Pulling from Tech Crunch:
In July, the developer of the widely used atomicwrites Python library Markus Unterwaditzer temporarily deleted his code from the popular code registry PyPI after the site said it would mandate two-factor authentication for maintainers of “critical projects” — projects that fell into the top 1% of all downloads on the registry.
A week into 2022, thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users’ screens. It wasn’t a malicious actor hijacking and altering these legitimate libraries. It turned out the project’s developer Marak Squires had intentionally corrupted his own work to send a message of protest to big corporations.
Squires’ protest was prompted by the Log4Shell security flaw that burdened Log4j project maintainers, primarily open source volunteers, with critical vulnerability patching over the December holidays. Squires had earlier expressed frustration at Fortune 500 companies using his free, open-source code without offering financial support or sponsoring their upkeep. The Log4Shell vulnerability only reinforced that sentiment — that the businesses ubiquitously reliant on Log4j in their applications have not done enough to support the unpaid volunteers. They sustain these critical projects in their free time.
In March 2022, weeks after Russian troops crossed into Ukrainian territory, the popular npm project node-ipc — downloaded over a million times each week — began wiping the machines of suspected Russian and Belarusian developers. The project’s developer, Brandon Nozaki Miller, allegedly sabotaged the code to corrupt the computers it was installed on. The sabotaged versions of node-ipc — now effectively malware — were taken down from the npm registry.
But here’s the key passage:
“The conversation around ‘protestware’ is really a conversation about software supply chain security. You can’t trust what you can’t verify,” Dan Lorenc, the co-founder, and chief executive at Chainguard, a startup specializing in software supply chain security, told TechCrunch.
Why do we care?
Besides wanting to understand precisely what protestware is, which I think has a lot of value, there’s the relation to a trend we already discussed. Supply Chain security. A phrase that wasn’t considered just a few short years ago is becoming key to how product is delivered. As such, services companies both have a new challenge to face.. but on protestware specifically, they should be able to leverage any work in overall supply chain security. That’s the good news. It’s a big problem, but this doesn’t add anything more to it… especially if you already don’t trust anything.