Software is becoming more interdependent, and that’s a big security problem


On March 16, 20 days after Russia invaded Ukraine, users of the Vue.js development environment panicked. Vue is a set of tools that make it easy for developers to create interfaces for websites and web applications, including companies like Facebook, Netflix, and Nintendo. According to BuiltWith, it powers 19.8% of the top 10,000 websites in the world.

So, what does the popular programming tool have in common with the war in Ukraine? Under the hood, Vue, like all tools of its kind, relies on a set of other software packages that it automatically downloads. Software packages make it easy for programmers to add functionality to their applications without having to write code from scratch.

In this case, Vue included a dependency on a package called “node-ipc” whose developer decided to add a small amount of code that creates a text file containing anti-war messages to the desktops of those who use it. But if the package was installed on a device with a Russian or Belarusian IP address, it also began to erase files from the device and replace them with heart emojis.

This was not the first such incident. Earlier this year, the developer of two other popular packages sabotaged them by modifying them to display meaningless text instead of the expected output.

These incidents show how software developers rely on an increasingly large ecosystem of third-party packages. While these packages can greatly simplify and speed up development, they also have significant security implications.

A 2018 study of npm — the package manager that is the largest and most used repository of third-party packages for JavaScript developers — found that in 2018, the average package automatically installs three additional packages in order for the software to function. These additional packages will in turn install even more packages. On average, the total amount for installing just one package was about 80 packages from 40 developers. This number has likely increased since then.

Content from our partners

How data can help revitalize our downtown streets in the age of online shopping

Why access to digital technologies is a vital element of improving

How to help ethnic minority-led firms succeed

As the researchers note, this creates serious security problems, since malicious code in one package can affect thousands of others. Just 20 developers (out of over 150,000) are needed to compromise half the ecosystem.

While the npm ecosystem is notorious for its complexity and interconnectedness, other programming languages ​​face similar challenges.

To mitigate these security concerns, the researchers propose implementing review processes for developers responsible for maintaining and updating packages, verifying their identity, and helping them understand security principles. Whatever the outcome, such attacks are likely to increase as software becomes more interdependent.


Please enter your comment!
Please enter your name here