Protestware
What is Protestware?
ProtestwareOpen-source software whose maintainer adds politically motivated code that displays a message or sabotages users perceived to be in a targeted country.
Protestware is a controversial category: maintainers of popular open-source libraries deliberately ship updates that print political slogans, refuse to run, or, in extreme cases, destroy data on machines whose geolocation matches a targeted region. The best-known case is node-ipc in March 2022, where the maintainer published a version that wiped files on systems geolocated to Russia or Belarus, hitting many uninvolved downstream organisations including aid groups. Other examples include faker.js and colors.js, where the maintainer self-sabotaged to protest unpaid labour. Whatever the cause, protestware is treated as a supply-chain attack by most enterprise security policies. Defences include lockfiles, vetting upstream changes, OpenSSF Scorecard checks, and SBOM-driven incident response.
● Examples
- 01
node-ipc (March 2022): peacenotwar/wiper code targeted IPs in Russia and Belarus.
- 02
colors.js and faker.js (2022): the maintainer pushed infinite loops to protest lack of funding.
● Frequently asked questions
What is Protestware?
Open-source software whose maintainer adds politically motivated code that displays a message or sabotages users perceived to be in a targeted country. It belongs to the Attacks & Threats category of cybersecurity.
What does Protestware mean?
Open-source software whose maintainer adds politically motivated code that displays a message or sabotages users perceived to be in a targeted country.
How does Protestware work?
Protestware is a controversial category: maintainers of popular open-source libraries deliberately ship updates that print political slogans, refuse to run, or, in extreme cases, destroy data on machines whose geolocation matches a targeted region. The best-known case is node-ipc in March 2022, where the maintainer published a version that wiped files on systems geolocated to Russia or Belarus, hitting many uninvolved downstream organisations including aid groups. Other examples include faker.js and colors.js, where the maintainer self-sabotaged to protest unpaid labour. Whatever the cause, protestware is treated as a supply-chain attack by most enterprise security policies. Defences include lockfiles, vetting upstream changes, OpenSSF Scorecard checks, and SBOM-driven incident response.
How do you defend against Protestware?
Defences for Protestware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Protestware?
Common alternative names include: Politically motivated package, Sabotage update.
● Related terms
- attacks№ 647
Malicious npm Package
An npm package that contains hidden code designed to steal data, install malware, or compromise downstream applications when installed.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- malware№ 1243
Wiper Malware
Destructive malware whose primary goal is to irreversibly erase or corrupt data, firmware, or boot records — not financial gain.
- attacks№ 1183
Typosquatted Package
A malicious open-source package published under a name that closely resembles a popular library so that developers install it by mistake.