Peacenotwar

peacenotwar is a piece of malware, which has been characterized as protestware, created by Brandon Nozaki Miller. In March 2022, it was added as a dependency in an update for, a common JavaScript dependency.

Background
Between 7 March and 8 March 2022, Brandon Nozaki Miller, the maintainer of the  package on the npm package registry, released two updates containing malicious code targeting systems in Russia and Belarus. This code recursively overwrites all files on the user's system drive with heart emojis. A week later, Miller added the peacenotwar module as a dependency to. The function of peacenotwar was to create a text file titled  on the desktop of affected machines, containing a message in protest of the Russo-Ukrainian War; it also imports a dependency on a package (npm colors package) that would result in a Denial of Service (DoS) to any server using it.

Impact
Because  was a common software dependency, it compromised several other projects which relied upon it.

Among the affected projects was Vue.js, which required  as a dependency but didn't specify a version. Some users of Vue.js were affected if the dependency was fetched from specific packages. Unity Hub 3.1 was also affected, but a patch was issued on the same day as the release.