{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,20]],"date-time":"2025-06-20T04:08:51Z","timestamp":1750392531811,"version":"3.41.0"},"reference-count":123,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,19]]},"abstract":"<jats:p>\n            Protests are public expressions of personal or collective discontent with the current state of affairs. Although traditional protests involve in-person events, the ubiquity of computers and software opened up a new avenue for activism: protestware. While news and media heavily report individual protestware as discovered, an in-depth understanding of how they impact the open-source software supply chain is largely missing. In particular, we do not have a detailed understanding of their characteristics and impact on the open-source community who rely on free contributions. To address this gap, we first collect 163 samples of libraries that are either modified (protestware) or created (which we call\n            <jats:italic toggle=\"yes\">protestware enablers<\/jats:italic>\n            ) with a clear intention to protest. In addition, we analyze the aftermath of the protestware, which has the potential to affect the software supply chain in terms of community sentiment and usage. We report that: (1) protestware has three notable characteristics, namely, i) the way protests are induced is diverse, ii) the altered functionality can be discriminatory, and iii) the transparency (\n            <jats:italic toggle=\"yes\">i.e.<\/jats:italic>\n            reporting the change for protest) is not always respected; (2) disruptive protestware may cause a substantial adverse impact on downstream users; (3) developers of protestware may not shift their beliefs even with pushback; (4) the usage of protestware from JavaScript libraries has been seen to generally increase over time.\n            <jats:italic toggle=\"yes\">[Content Warning: This paper contains aggressive and derogatory language in the form of examples from GitHub user comments, which some might find unsettling.]<\/jats:italic>\n          <\/jats:p>","DOI":"10.1145\/3729381","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:15:34Z","timestamp":1750346134000},"page":"2500-2523","source":"Crossref","is-referenced-by-count":0,"title":["On the Characteristics and Impacts of Protestware Libraries"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-6020-8442","authenticated-orcid":false,"given":"Tanner","family":"Finken","sequence":"first","affiliation":[{"name":"University of Arizona, Tucson, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-1741-5531","authenticated-orcid":false,"given":"Jesse","family":"Chen","sequence":"additional","affiliation":[{"name":"University of Arizona, Tucson, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1258-6470","authenticated-orcid":false,"given":"Sazzadur","family":"Rahaman","sequence":"additional","affiliation":[{"name":"University of Arizona, Tucson, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,6,19]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"d.]. 996 working hour system. https:\/\/en.wikipedia.org\/wiki\/996_working_hour_system Accessed","year":"2025","unstructured":"[n. d.]. 996 working hour system. https:\/\/en.wikipedia.org\/wiki\/996_working_hour_system Accessed: Feb 21, 2025"},{"key":"e_1_2_1_2_1","volume-title":"d.]. all-the-package-repos: Normalized repository URLs for every package in the npm registry. Updated daily.. https:\/\/github.com\/nice-registry\/all-the-package-repos Accessed","year":"2025","unstructured":"[n. d.]. all-the-package-repos: Normalized repository URLs for every package in the npm registry. Updated daily.. https:\/\/github.com\/nice-registry\/all-the-package-repos Accessed: Feb 17, 2025"},{"key":"e_1_2_1_3_1","volume-title":"d.]. American NGO affected by your recklessness. https:\/\/archive.ph\/emyJb Accessed","year":"2025","unstructured":"[n. d.]. American NGO affected by your recklessness. https:\/\/archive.ph\/emyJb Accessed: Feb 22, 2025"},{"key":"e_1_2_1_4_1","volume-title":"d.]. API Platform. https:\/\/openai.com\/api\/ Accessed","year":"2025","unstructured":"[n. d.]. API Platform. https:\/\/openai.com\/api\/ Accessed: Feb 17, 2025"},{"key":"e_1_2_1_5_1","volume-title":"d.]. GitHub. https:\/\/en.wikipedia.org\/wiki\/GitHub Accessed","year":"2025","unstructured":"[n. d.]. GitHub. https:\/\/en.wikipedia.org\/wiki\/GitHub Accessed: Jan 27, 2025"},{"key":"e_1_2_1_6_1","volume-title":"d.]. Google AI for Developers. https:\/\/ai.google.dev\/ Accessed","year":"2025","unstructured":"[n. d.]. Google AI for Developers. https:\/\/ai.google.dev\/ Accessed: Feb 17, 2025"},{"key":"e_1_2_1_7_1","volume-title":"d.]. Hacktivism. https:\/\/en.wikipedia.org\/wiki\/Hacktivism##Protestwarem Accessed","year":"2025","unstructured":"[n. d.]. Hacktivism. https:\/\/en.wikipedia.org\/wiki\/Hacktivism##Protestwarem Accessed: Feb 17, 2025"},{"key":"e_1_2_1_8_1","volume-title":"d.]. Hacktivism. https:\/\/en.wikipedia.org\/wiki\/Hacktivism##Protestware Accessed","year":"2025","unstructured":"[n. d.]. Hacktivism. https:\/\/en.wikipedia.org\/wiki\/Hacktivism##Protestware Accessed: Jan 27, 2025"},{"key":"e_1_2_1_9_1","volume-title":"d.]. kvcb - snippet.host. https:\/\/archive.ph\/QJ5IK Accessed","year":"2025","unstructured":"[n. d.]. kvcb - snippet.host. https:\/\/archive.ph\/QJ5IK Accessed: Feb 22, 2025"},{"key":"e_1_2_1_10_1","volume-title":"d.]. npm. https:\/\/en.wikipedia.org\/wiki\/Npm Accessed","year":"2025","unstructured":"[n. d.]. npm. https:\/\/en.wikipedia.org\/wiki\/Npm Accessed: Jan 27, 2025"},{"key":"e_1_2_1_11_1","volume-title":"d.]. Reddit API | Developer Platform. https:\/\/developers.reddit.com\/docs\/api Accessed","year":"2025","unstructured":"[n. d.]. Reddit API | Developer Platform. https:\/\/developers.reddit.com\/docs\/api Accessed: Feb 17, 2025"},{"key":"e_1_2_1_12_1","unstructured":"2008. AntonSchevchuk\/yandex. https:\/\/github.com\/AntonShevchuk\/yandex"},{"key":"e_1_2_1_13_1","unstructured":"2010. npm. https:\/\/www.npmjs.com\/"},{"key":"e_1_2_1_14_1","unstructured":"2013. evolution-cms\/evolution. https:\/\/github.com\/evolution-cms\/evolution"},{"key":"e_1_2_1_15_1","unstructured":"2014. firefox-boycott. https:\/\/github.com\/jackmaney\/firefox-boycott"},{"key":"e_1_2_1_16_1","unstructured":"2014. Include notes on diversity in tech. Docs for new HTML formatting Commit. https:\/\/github.com\/vladimirbuskin\/leaflet-control-geocoder\/commit\/deeaa0071f17cdd0cba551bfe823fab6633e1a7b"},{"key":"e_1_2_1_17_1","unstructured":"2014. left-pad. https:\/\/github.com\/left-pad\/left-pad"},{"key":"e_1_2_1_18_1","unstructured":"2014. vue - npm. https:\/\/www.npmjs.com\/package\/vue"},{"key":"e_1_2_1_19_1","unstructured":"2014. Vue.js - The Progressive JavaScript Framework. https:\/\/vuejs.org\/"},{"key":"e_1_2_1_20_1","unstructured":"2016. ec-\/Quake3e. https:\/\/github.com\/ec-\/Quake3e"},{"key":"e_1_2_1_21_1","unstructured":"2016. How one programmer broke the internet by deleting a tiny piece of code. https:\/\/qz.com\/646467\/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code"},{"key":"e_1_2_1_22_1","unstructured":"2016. I\u2019ve Just Liberated My Modules. https:\/\/web.archive.org\/web\/20161203055443\/https:\/\/medium.com\/@azerbike\/i-ve-just-liberated-my-modules-9045c06be67c"},{"key":"e_1_2_1_23_1","unstructured":"2016. npm Blog Archive: kik left-pad and npm. https:\/\/blog.npmjs.org\/post\/141577284765\/kik-left-pad-and-npm"},{"key":"e_1_2_1_24_1","unstructured":"2016. styled-components. https:\/\/github.com\/styled-components\/styled-components"},{"key":"e_1_2_1_25_1","unstructured":"2017. Yet Another Dialog(yad). https:\/\/github.com\/v1cont\/yad\/tree\/master"},{"key":"e_1_2_1_26_1","unstructured":"2019. Developer takes down Ruby library after he finds out ICE was using it. https:\/\/www.zdnet.com\/article\/developer-takes-down-ruby-library-after-he-finds-out-ice-was-using-it\/"},{"key":"e_1_2_1_27_1","unstructured":"2019. Free Hong Kong Pro-Palestinian protest on UA\u00b7 pdyck\/hearthstone-db@52be873. https:\/\/github.com\/pdyck\/hearthstone-db\/commit\/52be873eb6f8551b077d5f4ebfb146eccf45288c"},{"key":"e_1_2_1_28_1","unstructured":"2019. NestJS-Pino.. https:\/\/github.com\/iamolegga\/nestjs-pino"},{"key":"e_1_2_1_29_1","volume-title":"Removed unused devDependencies &amp","unstructured":"2019. Removed unused devDependencies &amp; Updated README.md \u00b7 EmilyMew\/dom-pdf@67fe264. https:\/\/github.com\/EmilyMew\/dom-pdf\/commit\/67fe264996d891e65899667b3dcf058500d5a067"},{"key":"e_1_2_1_30_1","unstructured":"2020. Iffy Index of Unreliable Sources. https:\/\/iffy.news\/index\/"},{"key":"e_1_2_1_31_1","unstructured":"2020. racial-equity-banner. https:\/\/github.com\/blittle\/racial-equity-banner"},{"key":"e_1_2_1_32_1","unstructured":"2020. updates readme file \u00b7 saqy\/angular-packages@a3d1f06. https:\/\/github.com\/saqy\/angular-packages\/commit\/a3d1f061d1477edde5999f5d92e93936c56ab925"},{"key":"e_1_2_1_33_1","unstructured":"2020. Venezuela crisis: Anger over shortages triggers protests. https:\/\/www.bbc.com\/news\/world-latin-america-54354225"},{"key":"e_1_2_1_34_1","unstructured":"2020. widget-engrave. https:\/\/github.com\/onestlatech\/widget-engreve"},{"key":"e_1_2_1_35_1","unstructured":"2021. No more free work from Marak - Pay Me or Fork This. https:\/\/web.archive.org\/web\/20210704022108\/https:\/\/github.com\/Marak\/faker.js\/issues\/1046"},{"key":"e_1_2_1_36_1","unstructured":"2021. No more free work from Marak - Pay Me or Fork This \u00b7 Issue ##1046 \u00b7 Marak\/faker.js \u00b7 GitHub. https:\/\/web.archive.org\/web\/20210704022108\/https:\/github.com\/Marak\/faker.js\/issues\/1046"},{"key":"e_1_2_1_37_1","unstructured":"2021. nuxt-block-russia-belarus. https:\/\/github.com\/kevinl95\/nuxt-block-russia-belarus"},{"key":"e_1_2_1_38_1","unstructured":"2022. Add blacklist \u00b7 arendst\/Tasmota@98cbf25. https:\/\/github.com\/arendst\/Tasmota\/commit\/98cbf2587a1a914bbd16996ebb48dd451d3da448"},{"key":"e_1_2_1_39_1","unstructured":"2022. Add STOP WAR message for Russians by limonte \u00b7 Pull Request #2428 \u00b7 sweetalert2\/sweetalert2. https:\/\/github.com\/sweetalert2\/sweetalert2\/pull\/2428\/commits\/86d5af1686a5270a593f14ec90c6943884447824"},{"key":"e_1_2_1_40_1","unstructured":"2022. Adds new American flag module Marak. https:\/\/github.com\/Marak\/colors.js\/commit\/074a0f8ed0c31c35d13d28632bd8a049ff136fb6?diff=unified&w=0"},{"key":"e_1_2_1_41_1","volume-title":"After \u2018protestware","year":"2022","unstructured":"2022. After \u2018protestware\u2019 attacks, a Russian bank has advised clients to stop updating software. https:\/\/www.theverge.com\/2022\/3\/21\/22989339\/protestware-attacks-russia-sberbank-open-source"},{"key":"e_1_2_1_42_1","unstructured":"2022. Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine. https:\/\/snyk.io\/blog\/peacenotwar-malicious-npm-node-ipc-package-vulnerability\/"},{"key":"e_1_2_1_43_1","unstructured":"2022. BIG sabotage: Famous npm package deletes files to protest Ukraine war. https:\/\/www.bleepingcomputer.com\/news\/security\/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war\/"},{"key":"e_1_2_1_44_1","unstructured":"2022. cannot find module node_modules\/styled-components\/postinstall.js \u00b7 Issue ##3706 \u00b7 styled-components\/styled-components. https:\/\/github.com\/styled-components\/styled-components\/issues\/3706"},{"key":"e_1_2_1_45_1","unstructured":"2022. chore: Give Peace a Chance \u00b7 medikoo\/es5-ext@28de285. https:\/\/github.com\/medikoo\/es5-ext\/commit\/28de285ed433b45113f01e4ce7c74e9a356b2af2"},{"key":"e_1_2_1_46_1","unstructured":"2022. Code-Sabotage Incident in Protest of Ukraine War Exposed Open Source Risks. https:\/\/www.darkreading.com\/application-security\/recent-code-sabotage-incident-latest-to-highlight-code-dependency-risks"},{"key":"e_1_2_1_47_1","unstructured":"2022. Dev corrupts NPM libs \u2019colors\u2019 and \u2019faker\u2019 breaking thousands of apps. https:\/\/www.bleepingcomputer.com\/news\/security\/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps\/"},{"key":"e_1_2_1_48_1","unstructured":"2022. Did the term protestware exist before? - Puppy Linux Discussion Forum. https:\/\/forum.puppylinux.com\/viewtopic.php?p=52839&sid=3a36de55392fe34b1e4c5407b1d4ca9e#p52839"},{"key":"e_1_2_1_49_1","unstructured":"2022. drop k hujam support of russian language. https:\/\/github.com\/v1cont\/yad\/commit\/e38f7fa71aa9b2dff408ae14ca7133e4fdc4b02a"},{"key":"e_1_2_1_50_1","unstructured":"2022. faker.js. https:\/\/web.archive.org\/web\/20220129022735\/https:\/\/github.com\/marak\/Faker.js\/"},{"key":"e_1_2_1_51_1","unstructured":"2022. feat: Made it clear that we stand with Ukraine \u00b7 terraform-aws-modules\/terraform-aws-eks@fad350d. https:\/\/github.com\/terraform-aws-modules\/terraform-aws-eks\/commit\/fad350d5bf36a7e39aa3840926b4c9968e9f594c"},{"key":"e_1_2_1_52_1","unstructured":"2022. MongoDB Assistance to Ukraine Shut Down of Work in Russia. https:\/\/www.mongodb.com\/blog\/post\/mongodb-assistance-ukraine-shut-down-work-russia"},{"key":"e_1_2_1_53_1","unstructured":"2022. New Protestware Found Lurking in Highly Popular NPM Package. https:\/\/checkmarx.com\/blog\/new-protestware-found-lurking-in-highly-popular-npm-package\/"},{"key":"e_1_2_1_54_1","unstructured":"2022. node-ipc edit. https:\/\/web.archive.org\/web\/20220321220122\/https:\/\/github.com\/RIAEvangelist\/node-ipc\/blob\/847047cf7f81ab08352038b2204f0e7633449580\/dao\/ssl-geospec.js"},{"key":"e_1_2_1_55_1","unstructured":"2022. peacenotwar. https:\/\/web.archive.org\/web\/20220317095621\/https:\/\/github.com\/RIAEvangelist\/peacenotwar"},{"key":"e_1_2_1_56_1","volume-title":"Pushes Antiwar Ads, Geo-Targeted Malware. https:\/\/www.reddit.com\/r\/hacking\/comments\/thlqm3\/comment\/i1a0lf0\/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1n Accessed","year":"2025","unstructured":"2022. Pro-Ukraine \u2018Protestware\u2019 Pushes Antiwar Ads, Geo-Targeted Malware. https:\/\/www.reddit.com\/r\/hacking\/comments\/thlqm3\/comment\/i1a0lf0\/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1n Accessed: Feb 22, 2025"},{"key":"e_1_2_1_57_1","unstructured":"2022. Protests erupt across China in unprecedented challenge to Xi Jinping\u2019s zero-Covid policy. https:\/\/www.cnn.com\/2022\/11\/26\/china\/china-protests-xinjiang-fire-shanghai-intl-hnk\/index.html"},{"key":"e_1_2_1_58_1","volume-title":"\u2019Protestware","year":"1908","unstructured":"2022. \u2019Protestware\u2019 is on the rise, with programmers self-sabotaging their own code. Should we be worried? https:\/\/theconversation.com\/protestware-is-on-the-rise-with-programmers-self-sabotaging-their-own-code-should-we-be-worried-190836"},{"key":"e_1_2_1_59_1","unstructured":"2022. Protestware is trending in open source: 4 different types and their impact. https:\/\/snyk.io\/blog\/protestware-open-source-types-impact\/"},{"key":"e_1_2_1_60_1","unstructured":"2022. Protestware on the rise: Why developers are sabotaging their own code. https:\/\/techcrunch.com\/2022\/07\/27\/protestware-code-sabotage\/"},{"key":"e_1_2_1_61_1","unstructured":"2022. racial-equity-banner. https:\/\/github.com\/filipe-freire\/hands-off-ukraine-banner"},{"key":"e_1_2_1_62_1","volume-title":"Removing React project dependencies involving the es5-ext protestware? https:\/\/stackoverflow.com\/questions\/71877958\/removing-react-project-dependencies-involving-the-es5-ext-protestware Accessed","year":"2024","unstructured":"2022. Removing React project dependencies involving the es5-ext protestware? https:\/\/stackoverflow.com\/questions\/71877958\/removing-react-project-dependencies-involving-the-es5-ext-protestware Accessed: May 14, 2024"},{"key":"e_1_2_1_63_1","unstructured":"2022. samber\/awesome-prometheus-alerts@6bfcdcc. https:\/\/github.com\/samber\/awesome-prometheus-alerts\/commit\/6bfcdcca165e57c6fa09a561515c33284caa20c2"},{"key":"e_1_2_1_64_1","unstructured":"2022. Sber advises against updating software due to risk of cyber attacks. https:\/\/www.fontanka.ru\/2022\/03\/18\/70517441\/"},{"key":"e_1_2_1_65_1","unstructured":"2022. StandWithUkraine banner and related documents. https:\/\/github.com\/vshymanskyy\/StandWithUkraine"},{"key":"e_1_2_1_66_1","unstructured":"2022. Stop war in Ukraine!. https:\/\/github.com\/evolution-cms\/evolution\/commit\/1c586bc76f739264dcf0482530945875fa444b77"},{"key":"e_1_2_1_67_1","unstructured":"2022. The story behind colors.js and faker.js. https:\/\/www.revenera.com\/blog\/software-composition-analysis\/the-story-behind-colors-js-and-faker-js\/"},{"key":"e_1_2_1_68_1","unstructured":"2022. Undesired Behavior in styled-components. https:\/\/security.snyk.io\/vuln\/SNYK-JS-STYLEDCOMPONENTS-3149924"},{"key":"e_1_2_1_69_1","unstructured":"2022. Update README.md \u00b7 AlexKhymenko\/ngx-permissions@93d08f2. https:\/\/github.com\/AlexKhymenko\/ngx-permissions\/commit\/93d08f234d1ccc9a096006b5633fedb936b07865"},{"key":"e_1_2_1_70_1","unstructured":"2022. update \u00b7 Yaffle\/EventSource@de13792. https:\/\/github.com\/Yaffle\/EventSource\/commit\/de137927e13d8afac153d2485152ccec48948a7a"},{"key":"e_1_2_1_71_1","unstructured":"2022. v11 peacenotwar update \u00b7 RIAEvangelist\/node-ipc@1220522 \u00b7 GitHub. https:\/\/web.archive.org\/web\/20220317103231\/https:\/\/github.com\/RIAEvangelist\/node-ipc\/commit\/1220522453a0388cb4af1a74fe9a0482b6b3a9f3"},{"key":"e_1_2_1_72_1","unstructured":"2022. web4ukraine. https:\/\/github.com\/pilotcz\/web4ukraine"},{"key":"e_1_2_1_73_1","unstructured":"2023. Added support Palestine banner (##182). https:\/\/github.com\/FajarKim\/github-readme-profile\/commit\/9c594323ea80a271694ffdb74ded2ecf459403c5"},{"key":"e_1_2_1_74_1","unstructured":"2023. Commit c4883bf. https:\/\/github.com\/mehrnooshbahmani\/liberte\/commit\/c4883bf95589cd47f9d9f9b2dc2e9e2923f58c65"},{"key":"e_1_2_1_75_1","unstructured":"2023. e2eakarev - npm. https:\/\/www.npmjs.com\/package\/e2eakarev"},{"key":"e_1_2_1_76_1","unstructured":"2023. node-ipc. https:\/\/github.com\/RIAEvangelist\/node-ipc"},{"key":"e_1_2_1_77_1","volume-title":"Gaza. https:\/\/www.reversinglabs.com\/blog\/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza Accessed","year":"2024","unstructured":"2023. Protestware taps npm to call out wars in Ukraine, Gaza. https:\/\/www.reversinglabs.com\/blog\/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza Accessed: May, 2024"},{"key":"e_1_2_1_78_1","unstructured":"2024. Add perf har-poon \u00b7 doramatadora\/har-poon@f9c7609. https:\/\/github.com\/doramatadora\/har-poon\/commit\/f9c7609b0a1a4b51570b27d96e37abe9531f9e0c"},{"key":"e_1_2_1_79_1","unstructured":"2024. Commit 72ea89d. https:\/\/github.com\/Autumn-one\/javascript-treasure\/commit\/72ea89db6eff63efb31fc2b23d7d2232e3d82bc7"},{"key":"e_1_2_1_80_1","unstructured":"2024. Open Source Initiative_2024. https:\/\/opensource.org\/osd"},{"key":"e_1_2_1_81_1","unstructured":"2024. Pro-Palestinian protest on UA campus ends in tear gas rubber bullets arrests. What\u2019s next? https:\/\/www.azcentral.com\/story\/news\/local\/arizona-education\/2024\/05\/01\/what-to-know-about-pro-palestinian-protest-at-university-of-arizona\/73532255007\/"},{"key":"e_1_2_1_82_1","unstructured":"2024. Protestware - How node-ipc turned into malware. https:\/\/www.lunasec.io\/docs\/blog\/node-ipc-protestware\/"},{"key":"e_1_2_1_83_1","unstructured":"2024. Wayback Machine. https:\/\/web.archive.org\/"},{"key":"e_1_2_1_84_1","volume-title":"What is Grey Literature? https:\/\/guides.library.illinois.edu\/c.php?g=1310347 Accessed","year":"2025","unstructured":"2024. What is Grey Literature? https:\/\/guides.library.illinois.edu\/c.php?g=1310347 Accessed: Feb 24, 2025"},{"key":"e_1_2_1_85_1","unstructured":"2025. Commit 279ec0e. https:\/\/github.com\/Coral-UI\/core\/commit\/279ec0e61c704871626fb8b4ec932c2b5c0d0b38"},{"key":"e_1_2_1_86_1","unstructured":"2025. Supplementary Material. https:\/\/zenodo.org\/records\/14929674"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3559545"},{"key":"e_1_2_1_89_1","volume-title":"2015 30th IEEE\/ACM International Conference on Automated Software Engineering Workshop (ASEW). 86\u201389","author":"Bogart Christopher","year":"2015","unstructured":"Christopher Bogart, Christian K\u00e4stner, and James Herbsleb. 2015. When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies. In 2015 30th IEEE\/ACM International Conference on Automated Software Engineering Workshop (ASEW). 86\u201389."},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950325"},{"key":"e_1_2_1_91_1","volume-title":"Proceedings of the ACM on Software Engineering, 1, FSE","author":"Chen Jesse","year":"2024","unstructured":"Jesse Chen, Dharun Anandayuvaraj, James C Davis, and Sazzadur Rahaman. 2024. On the Contents and Utility of IoT Cybersecurity Guidelines. Proceedings of the ACM on Software Engineering, 1, FSE (2024), 1400\u20131423."},{"key":"e_1_2_1_92_1","volume-title":"Raula Gaikovina Kula, and Christoph Treude","author":"Cheong Marc","year":"2023","unstructured":"Marc Cheong, Raula Gaikovina Kula, and Christoph Treude. 2023. Ethical Considerations Towards Protestware. IEEE Software."},{"key":"e_1_2_1_93_1","volume-title":"Alessandro Galeazzi, Walter Quattrociocchi, and Michele Starnini.","author":"Cinelli Matteo","year":"2021","unstructured":"Matteo Cinelli, Gianmarco De Francisci Morales, Alessandro Galeazzi, Walter Quattrociocchi, and Michele Starnini. 2021. The echo chamber effect on social media. Proceedings of the National Academy of Sciences, 118, 9 (2021)."},{"key":"e_1_2_1_94_1","unstructured":"Lucian Constantin. 2022. Developer sabotages own NPM module prompting open-source supply chain security questions. CSO Online https:\/\/www.csoonline.com\/article\/572327\/developer-sabotages-own-npm-module-prompting-open-source-supply-chain-security-questions.html"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1145\/3273934.3273942"},{"key":"e_1_2_1_96_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards measuring supply chain attacks on package managers for interpreted languages."},{"key":"e_1_2_1_97_1","volume-title":"Proceedings of the 2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings. 308\u2013309","author":"Fan Youmei","year":"2024","unstructured":"Youmei Fan, Dong Wang, Supatsara Wattanakriengkrai, Hathaichanok Damrongsiri, Christoph Treude, Hideaki Hata, and Raula Gaikovina Kula. 2024. Going Viral: Case Studies on the Impact of Protestware. In Proceedings of the 2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings. 308\u2013309."},{"key":"e_1_2_1_98_1","first-page":"1","article-title":"Developer reactions to protestware in open source software: the cases of color. js and es5. ext","volume":"30","author":"Fan Youmei","year":"2025","unstructured":"Youmei Fan, Dong Wang, Supatsara Wattanakriengkrai, Hathaichanok Damrongsiri, Christoph Treude, Hideaki Hata, and Raula Gaikovina Kula. 2025. Developer reactions to protestware in open source software: the cases of color. js and es5. ext. Empirical Software Engineering, 30, 2 (2025), 1\u201325.","journal-title":"Empirical Software Engineering"},{"key":"e_1_2_1_99_1","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 258\u2013267","author":"Gonzalez Danielle","year":"2021","unstructured":"Danielle Gonzalez, Thomas Zimmermann, Patrice Godefroid, and Max Sch\u00e4fer. 2021. Anomalicious: Automated detection of anomalous and potentially malicious commits on github. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 258\u2013267."},{"key":"e_1_2_1_100_1","doi-asserted-by":"crossref","unstructured":"Leo A Goodman. 1961. Snowball sampling. The annals of mathematical statistics 148\u2013170.","DOI":"10.1214\/aoms\/1177705148"},{"key":"e_1_2_1_101_1","doi-asserted-by":"crossref","unstructured":"Greg Guest Kathleen M MacQueen and Emily E Namey. 2012. Applied thematic analysis. sage.","DOI":"10.4135\/9781483384436"},{"key":"e_1_2_1_102_1","volume-title":"2024 IEEE Symposium on Security and Privacy (SP). 1609\u20131627","author":"Hanley Hans WA","year":"2024","unstructured":"Hans WA Hanley, Deepak Kumar, and Zakir Durumeric. 2024. Specious sites: Tracking the spread and sway of spurious news stories at scale. In 2024 IEEE Symposium on Security and Privacy (SP). 1609\u20131627."},{"key":"e_1_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jksues.2016.04.002"},{"key":"e_1_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3560882"},{"key":"e_1_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.4103\/2249-4863.161306"},{"key":"e_1_2_1_106_1","doi-asserted-by":"publisher","DOI":"10.2307\/1953909"},{"key":"e_1_2_1_107_1","volume-title":"Observational research methods. Research design II: cohort, cross sectional, and case-control studies. Emergency medicine journal, 20, 1","author":"Mann CJ","year":"2003","unstructured":"CJ Mann. 2003. Observational research methods. Research design II: cohort, cross sectional, and case-control studies. Emergency medicine journal, 20, 1 (2003), 54\u201360."},{"key":"e_1_2_1_108_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.asej.2014.04.011"},{"key":"e_1_2_1_109_1","unstructured":"Matthew B Miles and A Michael Huberman. 1994. Qualitative data analysis: An expanded sourcebook. sage."},{"key":"e_1_2_1_110_1","volume-title":"Proceedings of the 44th International Conference on Software Engineering (FSE)","author":"Miller Courtney","year":"2022","unstructured":"Courtney Miller, Sophie Cohen, Daniel Klug, Bogdan Vasilescu, and Christian KaUstner. 2022. \"Did you miss my comment or what?\" understanding toxicity in open source discussions. In Proceedings of the 44th International Conference on Software Engineering (FSE) 2022. 710\u2013722."},{"key":"e_1_2_1_111_1","volume-title":"Study on Navigating Open-Source Dependency Abandonment. In 31st ACM Symposium on the Foundations of Software Engineering","author":"Miller Courtney","year":"2023","unstructured":"Courtney Miller, Christian K\u00e4stner, and Bogdan Vasilescu. 2023. \u201cWe Feel Like We\u2019re Winging It:\u201d A Study on Navigating Open-Source Dependency Abandonment. In 31st ACM Symposium on the Foundations of Software Engineering 2023. 1281\u20131293."},{"key":"e_1_2_1_112_1","doi-asserted-by":"crossref","unstructured":"Sendhil Mullainathan and Andrei Shleifer. 2002. Media bias.","DOI":"10.3386\/w9295"},{"key":"e_1_2_1_113_1","unstructured":"Open-Source-Peace. 2022. List of open-source projects containing protestware. https:\/\/github.com\/open-source-peace\/protestware-list\/tree\/main"},{"key":"e_1_2_1_114_1","volume-title":"Abuse Vectors: A Framework for Conceptualizing IoT-Enabled Interpersonal Abuse. In 32nd USENIX Security Symposium","author":"Stephenson Sophie","year":"2023","unstructured":"Sophie Stephenson, Majed Almansoori, Pardis Naeini, Danny Huang, and Rahul Chatterjee. 2023. Abuse Vectors: A Framework for Conceptualizing IoT-Enabled Interpersonal Abuse. In 32nd USENIX Security Symposium 2023. 69\u201386."},{"key":"e_1_2_1_115_1","doi-asserted-by":"crossref","unstructured":"Maite Taboada. 2016. Sentiment analysis: An overview from linguistics. Annual Review of Linguistics.","DOI":"10.1146\/annurev-linguistics-011415-040518"},{"key":"e_1_2_1_116_1","doi-asserted-by":"crossref","unstructured":"Ralph H Turner. 1969. The public perception of protest. American sociological review 815\u2013831.","DOI":"10.2307\/2095975"},{"key":"e_1_2_1_117_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236062"},{"key":"e_1_2_1_118_1","doi-asserted-by":"crossref","unstructured":"Francesca Vassallo. 2018. The evolution of protest research: Measures and approaches. PS: Political Science & Politics.","DOI":"10.1017\/S1049096517001779"},{"key":"e_1_2_1_119_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-022-10144-1"},{"key":"e_1_2_1_120_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). 1545\u20131560","author":"Wermke Dominik","year":"2023","unstructured":"Dominik Wermke, Jan H Klemmer, Noah W\u00f6hler, Juliane Schm\u00fcser, Harshini Sri Ramulu, Yasemin Acar, and Sascha Fahl. 2023. \" Always Contribute Back\": A Qualitative Study on Security Challenges of the Open Source Supply Chain. In 2023 IEEE Symposium on Security and Privacy (SP). 1545\u20131560."},{"key":"e_1_2_1_121_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"e_1_2_1_122_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2019.8667997"},{"key":"e_1_2_1_123_1","volume-title":"28th USENIX Security Symposium","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th USENIX Security Symposium 2019. 995\u20131010."}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729381","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:16:51Z","timestamp":1750346211000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729381"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,19]]},"references-count":123,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2025,6,19]]}},"alternative-id":["10.1145\/3729381"],"URL":"https:\/\/doi.org\/10.1145\/3729381","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,19]]}}}