EDIT - found the original comment which was since removed: https://github.com/RIAEvangelist/node-ipc/issues/308

Image of the original post

Text from the link in the comment:

We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.

Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.

Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Profesionally, our counsel suggested filing criminal charges federally and it's likely we'll be proceeding this way.

lol, CIA/NED owned.

  • jizzy [any]
    ·
    3 years ago

    Profesionally, our counsel suggested filing criminal charges federally and it’s likely we’ll be proceeding this way.

    Sounds like a decent but elaborate troll, I think this line gives it away too much.

    I'm also not sure what legal recourse they actually have. Nobody forced them to update their dependencies without checking them. What crimes exactly are broken by an open source developer modifying a package to do something like this? If their modifications otherwise broke this NGO's data collection/deleted files by accident, is the developer liable? Almost certainly not, I haven't checked node-ipc's license but I don't think you can spin a CFAA charge if the code is open and the developer is free to modify as they see fit...

    • sysgen [none/use name,they/them]
      ·
      3 years ago

      They absolutely have legal standing. This is text-book CFAA.

      The code that caused this was obfuscated, the developer deliberately tried to make it difficult to figure out. So it's not any different to internet malware written in JavaScript.

      Any lawyer would definitely recommend criminal charges - it was definitely criminal.

    • Sphere [he/him, they/them]
      ·
      3 years ago

      There's a world of difference between screwing up and acting maliciously, and this is 100% the latter. It's a clear violation of software developer ethics and, given how incredibly broad and vague the CFAA's provisions are, almost certainly criminal.

    • Frank [he/him, he/him]
      ·
      3 years ago

      I'm sure they can find something. Deliberately pushing code with malice has to be against some law, somewhere. If nothing else they could pursue civil damages.