The developer faced a negative public reaction after he was accused of trying to indiscriminately distribute malware to Russian IP addresses through a popular open source package.
Brandon Nozaki-Miller denied accusations that his code destroyed the hard drives of users in Russia and Belarus, despite a detailed online analysis of the code by third-party experts.
Miller is developing node-ipc, an interprocess communication module for Linux, Mac and Windows systems. According to GitHub, the package is used by almost 761,000 people.
After analyzing the code on March 7 of this year, Snyk, a software security company, came to the conclusion that a malicious package was embedded in node-ipc. Malicious code overwritten files on the computer of users with IP addresses from Russia and Belarus, and replaced them with a smiley face.
According to Snyk, the ipc-node tool was used in packages, including the command line tool Vue.js . The vulnerability was assigned the identifier CVE-2022-23812 with a CVSS rating of 9.8 (critical).
After the incident, Miller was harshly harassed. Someone called the police and warned about a false emergency, as a result of which he was beaten by the police. Also, unknown people hacked his Twitter.
«As far as I know, no computer was affected, unless people tried to make my code do something that wasn’t really there“,” he said. «The only thing that actually happened was documented and licensed in the source code files, a file was added to the desktop with a message of peace, morality and an attempt to remember forgiveness when it’s all overme.”
Snyk’s detailed analysis rejects Miller’s words. The company accuses Nozaki Miller of trying to hide the spread of malware.