Security researchers from Socket have stumbled upon a digital booby trap set for Russian-language users within JavaScript packages.
The researchers found two npm packages – with the rather innocuous names @link-loom/ui-sdk and @link-loom-react-sdk – that look normal on the surface. They’re designed to help developers create nice-looking pop-up notifications in web applications. Yet, beneath this helpful exterior, lies something more politically-charged.
If you’re browsing with your language set to Russian and you visit a website that uses these JavaScript packages, you’re in for a surprise: the site freezes – you can’t click anything, scroll, or interact in any way – while the Ukrainian national anthem plays on loop.
The affected packages have been downloaded thousands of times, meaning a large number of developers might have embedded this code into their projects. The original package (@link-loom/ui-sdk) racked up over 7,000 downloads before being deprecated, though its successor continued the same hidden functionality.
What makes this clever – or concerning, depending on your perspective – is how well hidden this code was. These packages contain over 100,000 lines of code, with the troublesome bit nestled about 5,000 lines deep.
The code within the JavaScript packages is rather sophisticated in its targeting. It won’t trigger for just anyone, you need to be using Russian language settings, visiting a Russian or Belarusian website, and it must be at least your second visit to the site with three days having passed since your first visit.
While some might see this as a harmless political statement, it raises further concerns about software supply chain security. Imagine running an online shop or essential service and finding that a portion of your users cannot use your website all because of code you didn’t write and weren’t aware existed in your dependencies.
The package creator has since removed this functionality from newer versions, but that doesn’t help sites still using the older, compromised JavaScript packages.
If you’re a developer, this serves as yet another reminder of why we need to be careful about what packages we bring into our projects. Third-party code can save time and effort, but it also introduces risks that can’t be ignored and could end up costing more in the long run.
As geopolitical tensions continue to play out across the globe, we’re seeing increasing instances of developers using their skills to make political statements through code such as within these JavaScript packages. Whether you view this as legitimate protest or inappropriate sabotage likely depends on your own political leanings.
(Photo by Sean Foster)
See also: Vibe coding: Future of development or risky shortcut?
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
