Protestware: “peacenotwar” NPM package drops anti-war message on user's desktop

How does this &quot;protest&quot; affect the Russians?<p>How would deliberately annoying your entire user base by creating spam files on their desktop and synced folders without permission possibly help anything?<p>All it will do is cause chaos as people suspect that their dev and CI machines have been infected with a virus, costing time and money to track down what happened. Then they&#x27;ll be angry at YOU, not the Russians.

The full timeline of events and details about how this unfolds are covered here in my write-up: <a href="https:&#x2F;&#x2F;snyk.io&#x2F;blog&#x2F;peacenotwar-malicious-npm-node-ipc-package-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;snyk.io&#x2F;blog&#x2F;peacenotwar-malicious-npm-node-ipc-pack...</a>

Right now it&#x27;s included as a dependency only in node-ipc package [1] from the same author (1M weekly downloads&#x2F;355 dependents).<p>[1] <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;node-ipc" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;node-ipc</a>

Yet another manifest found in es5-ext: <a href="https:&#x2F;&#x2F;github.com&#x2F;medikoo&#x2F;es5-ext&#x2F;issues&#x2F;116" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;medikoo&#x2F;es5-ext&#x2F;issues&#x2F;116</a>