The persistence mechanism stores an initiation timestamp in localStorage using the key ‘swal-initiation’, calculating elapsed time since first visit to determine payload activation, ensuring repeat users experience the full protestware impact while minimizing collateral damage to casual visitors. Once conditions are satisfied and the three-day timer expires, the malware executes its payload by setting document.body.style.pointerEvents = 'none' to disable interactions while creating an audio element that loads the Ukrainian national anthem from an external server. A sophisticated protestware campaign has emerged targeting Russian-language users through a network of compromised npm packages, with threat actors weaponizing at least 28 new packages containing nearly 2,000 versions of malicious code. The campaign represents a significant escalation in supply chain attacks, leveraging JavaScript package repositories to distribute politically motivated malware that disrupts user interactions on Russian and Belarusian websites. The research team discovered that the malicious code has propagated through unintentional supply chain contamination, with developers unknowingly copying infected code from SweetAlert2 into their own packages without proper disclosure. Upon meeting these criteria, the protestware disables all mouse-based interactions on affected websites and plays the Ukrainian national anthem on loop, effectively rendering the sites unusable for the targeted demographic. Many packages contain over 100,000 lines of code, with the malicious payload strategically buried deep within the codebase to avoid detection during routine code reviews. Socket.dev analysts identified the widespread distribution of this protestware across multiple npm packages, tracing its origins to the popular SweetAlert2 library, which boasts over 700,000 weekly downloads. The malware utilizes browser localStorage to track user visits, implementing a three-day delay mechanism before payload activation. This approach allows the malware to establish persistence without triggering immediate suspicion from users or automated security systems. The malware operates through a complex conditional framework that specifically targets users with Russian browser language settings visiting domains with .ru, .by, .su, and .рф extensions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 09:30:26 +0000