Open source developer corrupts widely-used libraries, affecting tons of projects

Roger Stringer • January 09, 2022

2 min read

A developer appears to have purposefully corrupted a pair of open-source libraries on GitHub and software registry npm: "faker.js" and "colors.js" that thousands of users depend on, rendering any project that contains these libraries useless.

While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3).

Bleeping Computer found that the developer of these two libraries, Marak Squires, introduced a malignant commit (a file revision on GitHub) to colors.js that adds “a new American flag module,” as well as rolled out version 6.6.6 of faker.js, triggering the same destructive turn of events. The sabotaged versions cause applications to infinitely output strange letters and symbols, beginning with three lines of text that read “LIBERTY LIBERTY LIBERTY.”

[…]

The story doesn't end there, though. Bleeping Computer dug up one of Squires' posts on GitHub from November 2020, in which he declares he no longer wants to do free work. “Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he says. “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”

Squires' bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions. A massive number of websites, software, and apps rely on open-source developers to create essential tools and components — all for free. It's the same issue that results in unpaid developers working tirelessly to fix the security issues in their open-source software, like the Heartbleed scare in 2014 that affected OpenSSL and the more recent Log4Shell vulnerability found in log4j that left volunteers scrambling to fix.

This is an interesting situation, and I can see Marak move opening up a can of worms across the industry, but introducing changes that create infinite loops in software using your library just doesn't seem a good way to go about things.

Tagged in: #Links
Like this blog post? Share it on twitter!