Third-party dependencies can be very cool, but they're also a great way to introduce unexpected vulnerabilities to your code. For whatever reason, NPM packages seem particularly susceptible to these problems.
Russia's aggression is catastrophic and unjustified, and the apparent intent of the code was to add a little more pressure to Russia & Belarus to withdraw from Ukraine, by disrupting systems in those countries using the library. Unfortunately, this was a rotten way to do it, because the consequences are unpredictable and often unintended, and could affect good people doing good work. Especially if this unverified allegation is true.