[lights0123]

> On March 8, at 7:25PM GMT+2 and less than four hours after node-ipc@10.1.3 had been published to roll back the destructive payload, a new major version node-ipc@11.0.0 was released on the npmjs registry.

The old version erased files, the new one leaves a file on the desktop.

[Isthatablackgsd]

Look like they realized the ramification and suddenly changed their payload. Well, that won't help them since companies who uses this module will have their legal department barking. They cannot erase the damage they have done and try to get away of the ramification with version. Since this is distributed through GitHub, Microsoft legal possibly will be involved due to possible violation of cyber/hacking laws in various countries. This is going to be ugly for the developers.

[celticninja]

I don't see any issue for the developers at all. It is their software to create and alter as they see fit. End users choose to use the package, it is not being installed on their machines without their knowledge.

[Isthatablackgsd]

Four things:

1) Why they changed the code all of the sudden? If they are fine with realeasing this kind of damaging payoad, then why they decided to change the code? I mean they want to make a statement, right? Then they should leave the original code and stand by it. Why they are not standing by their statement?

2) Why RIAEvangelist editing people comments to minimize their languages? why they are censoring their comments? I checked the edited button and you can see RIAEvangelist made some interesting changes on their comments.

3) If RIAEvangelist felt his protest should be public and known, but users can't? You can clearly see they are trying to censoring comments and users at the beginning. So odd for developer who want to protest but yet refused to allow users to voice their protest. Strange strange mentality.

4) That is their free speech but that is only free speech from the governments. I realize my comment indicate about legal ramification. It is not the governments that RIAEvangelist should worry about, it is the private companies they should worry about, espically the platform they are using are known to be extremely litigious. They have far more power and money to ensure their maximum punishment. Private companies will use the law and lead hard on the government to do something. Private companies have done it before and they will do it again.

I don't have a issue with their principle. It just it is not the right platform/soapbox to use because it can cause unexpected damage if the original code is left up. It could spill to over companies who would be unintentionally targeted by it. Software is never perfect and it can be ugly. The developer have the right mind to change the code to minimize the damage because it will be ugly for them if they leave it up.

[fork-while-fork]

I'm curious if you think the same applies to a developer that writes any kind of ransomware when an end user downloads and installs it knowingly. End user trust is a common attack vector for malware and the developer here took advantage of that just like any other malware developer.

[planetree]

Must GPL my ransomware. Thanks for the reminder!