sweetalert2 >= 11.4.9 using malicious code to prevent using Neko for russian domain owners

[DX37]

Hello! Using your program a while now and self-hosting it for me and my friends to watch films and shows.

But there's some sweetalert2 package you using in Neko client, which with versions >= 11.4.9 gone rogue and started adding code to affect users, which going to domains .ru, .su or .рф, and shows them popup with YouTube videos about current Russia-Ukraine events (https://github.com/sweetalert2/sweetalert2/pull/2462). If I use Neko locally, with my local address, it works without this problem, but Neko's main purpose is gone by that.

A while ago we can just hit close button and continue to use Neko, but recently I discovered what author decided to go further and put Ukrainian anthem (can't hear it with autoplay block on) in transparent hided popup, which played by JS-script, loaded from CDN (https://github.com/sweetalert2/sweetalert2/issues/2466), and which fully prevents user to interact with Neko client at all. Somehow Google Chrome blocks this behavior, but Mozilla Firefox or Microsoft Edge not.

Can I ask you to lock package version on 11.4.8 to not use this malicious code, please? If you won't - I'll fully understand you.

[DX37]

Maybe it's not just this package version, I can't get it to work even when building docker image with 11.4.8 locked on...

[m1k1o]

I was not aware that somethiing like this is injected. It raises big concerns that we were cilently ignoring, dependency code malware injection. It could be anyting.

Is it still showing for you even with 11.4.8? Also, is not there maybe some global solution for you, to use e.g. adblock rule?

[yesBad]

Technically the plan of it wasn't "malicious". I think the plan is to spread the awareness for the people who are not aware. But yeah it's a bit annoying.

What I'm trying to say is idea is good, implementation isn't the best.

[DX37]

Technically the plan of it wasn't "malicious". I think the plan is to spread the awareness for the people who are not aware. But yeah it's a bit annoying.

What I'm trying to say is idea is good, implementation isn't the best.

I agree. And me with our small group of intelligent people are fully aware. If only these things were that simple to be resolved with protestware...

I was not aware that somethiing like this is injected. It raises big concerns that we were cilently ignoring, dependency code malware injection. It could be anyting.

Is it still showing for you even with 11.4.8? Also, is not there maybe some global solution for you, to use e.g. adblock rule?

~Well, if I'm getting it right, and setting "sweetalert2": "11.4.8" without ^, I'm still getting this problem when building docker base image. Somehow it uses recent version of sweetalert2 11.6.1, probably loading from CDN, maybe this URL - https://cdn.jsdelivr.net/npm/sweetalert2@11. The problem is that it is inside sweetalert script, so I can't just block this script - Neko will not work anymore. If you open URL https://cdn.jsdelivr.net/npm/sweetalert2@11.4.8, it'll open script without any annoying code.~ Figured out, I shouldn't run docker-compose pull after having images built.

Another of possible solutions for me is to switch browser language to anything but russian, and then it'll work. But not all my friends that technically advanced to do this. So at least trying to build image without unwanted code is closest to best solution in my case.

[DX37]

Okay, just got rid of all ^ symbols in package.json, set "sweetalert2": "11.4.8" and built base image. It's fixed now on this version, but I don't understand why I can't only set just sweetalert2 to fixed version. Are there other dependencies which using it?

UPD: Oh, I guess I got it - I shouldn't do docker-compose pull after building docker image. Before that everything works, but after that it's not working. Will try with only setting sweetalert version fixed.

[DX37]

Okay, just got rid of all ^ symbols in package.json, set "sweetalert2": "11.4.8" and built base image. It's fixed now on this version, but I don't understand why I can't only set just sweetalert2 to fixed version. Are there other dependencies which using it?

UPD: Oh, I guess I got it - I shouldn't do docker-compose pull after building docker image. Before that everything works, but after that it's not working. Will try with only setting sweetalert version fixed.

Yeah, it worked. Set fixed sweetalert2 version to 11.4.8, built docker image base and etc by myself and not pulling any containers with docker-compose pull.

I guess you can close issue, if you want. Most of the Neko users are not russian or not hosting it on russian domains. But at least we (or I, I suppose) know what was the problem now. Almost after several months of just watching closeable warning popup right on my self-hosted site...

[m1k1o]

Its for sure a piece of code that was not indented to be used. If it would at least be dismissable, and spreading information, as originally meant. But the last behavior is not informative and just annoying.

Last "clean" version is quite old. I would need to see what changed since then or alternatively fork that repository and remove unwanted code.

@DX37 you could just add port number to your domain, that should not trigger the current checks (because they match location.host and not location.hostname) so instead of https://domain.ru just send your friends links with https://domain.ru:443.

[m1k1o]

@DX37 i locked the package version. Could you remind me / create PR once the changes are removed from the repository? Or maybe creating new PR and replacing with some alternative, because we cannot be sure what changes next in this dependency.

[DX37]

@DX37 i locked the package version. Could you remind me / create PR once the changes are removed from the repository? Or maybe creating new PR and replacing with some alternative, because we cannot be sure what changes next in this dependency.

Thank you! I will, but I think it can take a long time, since these events doesn't seem to end anytime soon. Perhaps in a future a fork with reverting commits will do a trick, if this locked version will gone.