How does this "protest" affect the Russians?

How would deliberately annoying your entire user base by creating spam files on their desktop and synced folders without permission possibly help anything?

All it will do is cause chaos as people suspect that their dev and CI machines have been infected with a virus, costing time and money to track down what happened. Then they'll be angry at YOU, not the Russians.

The full timeline of events and details about how this unfolds are covered here in my write-up: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-pack...

Right now it's included as a dependency only in node-ipc package [1] from the same author (1M weekly downloads/355 dependents).

[1] https://www.npmjs.com/package/node-ipc

...and node-ipc has been version-locked[1] to a previous release by vue/cli-shared-utils, perhaps one of the more popular downstream consumers of the package.

[1] - https://github.com/vuejs/vue-cli/issues/7051

Another downstream consumer is the Unity Hub (software to download & manage Unity Engine versions) via Vue.

Yet another manifest found in es5-ext: https://github.com/medikoo/es5-ext/issues/116