How does this "protest" affect the Russians?<p>How would deliberately annoying your entire user base by creating spam files on their desktop and synced folders without permission possibly help anything?<p>All it will do is cause chaos as people suspect that their dev and CI machines have been infected with a virus, costing time and money to track down what happened. Then they'll be angry at YOU, not the Russians.
The full timeline of events and details about how this unfolds are covered here in my write-up: <a href="https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/" rel="nofollow">https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-pack...</a>
Right now it's included as a dependency only in node-ipc package [1] from the same author (1M weekly downloads/355 dependents).<p>[1] <a href="https://www.npmjs.com/package/node-ipc" rel="nofollow">https://www.npmjs.com/package/node-ipc</a>
Yet another manifest found in es5-ext: <a href="https://github.com/medikoo/es5-ext/issues/116" rel="nofollow">https://github.com/medikoo/es5-ext/issues/116</a>