Tell HN: Microsoft forgives malware? Node-ipc virus writer not banned GitHub

25 points

4 years ago

A few months ago there was a supply-chain attack involving the npm package node-ipc, in which one of the maintainers sabotaged the codebase to delete files on thousands of people's computers.

https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/

I just wanted to bring up the fact that the perpetrator behind this cyberattack, "RIAEvangelist", is currently not banned on Github. Hours after publishing the malware code on Github's node-ipc repository they appeared to have temporarily locked his account. But given the fact that his activity remained shortly after, it means Microsoft didnt opt to punish him very long (or at all?).

Malware author's profile: https://github.com/RIAEvangelist

What are the broader implications of Microsoft's inaction against a clear case of computer sabotage? Could their inaction against this user be interpreted as negligence? Could it be interpreted as a relaxation of company policy restrictions against malware being hosted on Github? Discuss.

20 comments