After ‘protestware’ attacks, a Russian bank has advised clients to stop updating software

Photo by Amelia Holowaty Krales / The Verge

The consequences of the Russian invasion of Ukraine are being felt by many parts of the technology sector.

In a recent announcement, the Russian bank Sber advised its customers to temporarily stop installing software updates to any applications out of concern that they could contain malicious code specifically targeted at Russian users.

The announcement was quoted in Russian-language news sites.

Currently, cases of provocative media content being introduced into freely distributed software have become more frequent. In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.

If there was an urgent need to use the software, Sber advised clients to carry out manual review of source code, a suggestion that is likely to be impractical, if not impossible, for most users.

The announcement was likely made in reference to an incident that took place earlier in March, where the developer of a widely used JavaScript library added an update that overwrote files on machines located in Russia or Belarus. Many in the open-source community were concerned that the update would undermine confidence in the security of open-source software overall.

The NPM package manager says that the update is used as a dependency by the popular front-end development framework Vue.js, which is downloaded around 1 million times per week.

On March 7th and March 8th, there was an update to the server that added code to check if the address of the host machine was located in Russia or Belarus, and if so, overwrote as many files as possible with a heart symbol. A later version of the module did away with the overwriting function and instead dropped a text file on users' desktops with a link to a song.

The consequences are more difficult to reverse because the most destructive features of the module are no longer in the code. A general loss of trust in open-source libraries could affect users in Russia and other countries.

The open-source community has fiercely condemned the update and pushed back on the idea of protest through module sabotage, even for worthy deserving.

Difficult ethical questions have been posed to technology companies working in Russia. While many global tech leaders have paused or halted sales in the Russian market, others remain, like Matthew Prince of Cloudflare, who wrote in a March 7th post that the company would continue to provide service in Russia despite calls to pull out.