Software with politic opinion is a security threat

The software that has a political opinion implies a bias and high risk for security. Avoid software with a "position" today, so you don't get hacked tomorrow.

The movie Dr. Strangelove, or How I Learned to Stop Worrying and Love the Bomb (1964)

This week I've found a Twitter post in my feed with a screenshot saying "@pnpmjs blocked you", and my reaction was kind of «wow, it's good I did not start to use PNPM yet and learned about their "opinion" that prompted them to block someone on Twitter and which may be a motivation to inject malware on my PC next time. I've been close to starting to use it in the next months».

banned Twitter account

There are reasons to consider such threats as real. In fact, we've had too many cases lately that prove over and over that software with any "opinion" or "political views" is dangerous.

A lot of NPM packages contain malware. Usually, they use typosquatting or masquerade tactics and parasitize popular packages, but some of them initially do not contain any malware and become popular. Then something happens in the world, and they attack users for political reasons. This is the story of CVE-2022-23812, a famous NPM package node-ipc with over a million weekly downloads that started deleting all data and overwriting all files on developers' machines to protest the Ukraine war in March 2022.

Cloud services have this problem too. On 30 May 2024, Docker Hub blocked access for users from Russia for political reasons. GitHub suspends accounts in Russia, Iran, and other countries [1], [2], [3].

Browser extensions, mobile, and desktop apps also implement logic to attack users by regions and based on their political views. Nowadays, there are many teams who buy popular apps and browser extensions to inject malware. I have a blog post about it.

As you can see, the "opinion" or "political view" of a company is not only a way to hype on sanctions and curry favor with investors, the government, and consumers, but it is also a clear signal about potential threats. It signals that your sensitive data may be hijacked, sold, or wiped anytime if the political compass spins tomorrow and recognizes you as an enemy.

There is no way to completely protect ourselves from cyber attacks, but at least we can avoid software with an "opinion." Good software does not care about how to ban someone on Twitter, how to limit access from some regions, or how to inject malware based on region, religion, or skin color.

To minimize security risks, we have to check software for red flags. Any publicly claimed "position" of software is a red flag if it is not directly related to software development.

Some of the red flags I actively use to reject software:

  • Direct political opinions in a product's blog, like "we support X" or "we are against X"
  • Blocking people on social media and in chats/groups
  • Any aggressive behavior of maintainers in public discussions
  • Too persistent requests for donations

It is not possible to list all factors in one post, but the key point is that good software must be neutral and independent.

Any software may become malware at any time, but software with an "opinion" ensures it will. One more way to keep software neutral and independent is your support. Donate to them and help with promotion - share it with your team, friends, and contribute to their code.

Let's network. I'm in Mastodon and Twitter