Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.
The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.'
The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.
Open Source Revolution?
The developer behind popular open-source NPM libraries 'colors' (aka colors.js on GitHub) and 'faker' (aka 'faker.js' on GitHub) intentionally introduced mischievous commits in them that are impacting thousands of applications relying on these libraries.
Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console.
These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters:
Initially, users suspected that the libraries 'colors' and 'faker' used by these projects were compromised [1, 2, 3], similar to how coa, rc, and ua-parser-js libraries were hijacked last year by malicious actors.
But, in fact, it was the dev behind colors and faker who appears to have intentionally committed the code responsible for the major blunder, as seen by BleepingComputer.
The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm.
The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.'
Likewise, a sabotaged version '6.6.6' of faker was published to GitHub and npm.
"It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors," mocked the developer.
"Please know we are working right now to fix the situation and will have a resolution shortly."
Zalgo text refers to certain non-ASCII characters that appear glitchy.
The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.
In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary.
"Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote.
"Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.
Interestingly, as of today, BleepingComputer noticed that the README page for the 'faker' GitHub repo was also modified by the developer to make reference to Aaron Swartz by stating: "What really happened with Aaron Swartz?"
Swartz was an American programmer, entrepreneur, and renowned hacktivist who, following a legal battle, committed suicide.
In an effort to make information freely accessible to all, the hacktivist downloaded millions of journal articles from the JSTOR database present on the MIT campus network, allegedly by rotating his IP and MAC addresses repeatedly to get around the technological blocks put in place by JSTOR and MIT.
In the process of doing this, Swartz may have run afoul of the Computer Fraud and Abuse Act and faced criminal charges, with penalties of up to thirty-five years in prison.
Uncanny can of worms
Marak's bold move has opened up a can of worms and attracted mixed responses.
Some members of the open-source software community have praised the developer's actions, while others are appalled by it.
"Apparently the author of 'colors.js' is angry for not being payed... So he decided to print the American flag each time his library is loaded... WTF," tweeted one user.
Some dubbed this an instance of "yet another OSS developer going rogue," whereas InfoSec expert VessOnSecurity called the action "irresponsible," stating:
"If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."
GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions:
"Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.
"Never know what happened but I’m hosting all of my projects on GitLab private instance just in cause things like this happening to me. Never trust any internet service provider," tweeted another.
"Marak yeeted faker and colors, bricking tons of projects, and expected nothing to happen?" stated a developer named Piero.
Note, Marak's surprising move follows the recent Log4j debacle that set the internet on fire.
Open-source library Log4j is used extensively in a vast range of Java applications, including those developed by corporations and commercial entities.
But, shortly after mass-exploitation of the Log4shell vulnerability, the maintainers of the open-source library worked without compensation over the holidays to patch the project, as more and more CVEs were being discovered.
Concerns emerged as to how big businesses were used to "exploiting" open-source; by consuming it incessantly but not giving back enough to support the unpaid volunteers who sustain these critical projects by giving up their free time.
Some also criticized the netizens and bug bounty hunters hounding the Log4j maintainers who were already "working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc." [1, 2, 3].
"The responses to the colors.js/faker.js author sabotaging their own packages are really telling about how many corporate developers think they are morally entitled to open source developers' unpaid labour without contributing anything back," wrote one Twitter user.
Time will tell what the future of open-source software entails, with regards to the OSS sustainability problem.
In the meantime, users of 'colors' and 'faker' NPM projects should ensure they are not using an unsafe version. Downgrading to an earlier version of colors (e.g. 1.4.0) and faker (e.g. 5.5.3) is one solution.
Update 10:08 AM ET: Added tweet from @VessOnSecurity after publishing.
Update 11:24 AM ET: Added developer's full name, Marak Squires.
Comments
Mike_Walsh - 22 hours ago
In all honesty, the guy's absolutely within his rights to sabotage his own work. Especially if he's doing it in his own free time, and not seeing one red nickel in compensation.
Why SHOULD big corporations make a ton of money off the back of somebody else's unpaid labour.....even if they DID do it 'for the love of it'?
Fair's fair. You scratch my back, and I'll return the favour. You stab me in the back.....ditto.
Cuts both ways, y'know.....??
Mallissin - 4 hours ago
In all honesty, the guy's absolutely within his rights to poison his own cupcakes. Especially if he's doing it in his own free time for the bake sale, and not seeing one red nickel in compensation.
Why SHOULD big communities make a ton of money off the back of somebody else's unpaid labour.....even if they DID do it 'for the love of it'?
Fair's fair. You scratch my back, and I'll return the favour. You stab me in the back.....ditto.
Cuts both ways, y'know.....??
(Note: Heavy sarcasm as a form of satire.)
FastTurtle - 2 hours ago
Not a fair comparison. Nobody had to go to the emergency room because of this.
GT500 - 21 hours ago
From what I read here, the guy sounds like a socialist who got greedy. It also sounds like everyone would be better off not relying on his code, since it obviously can't be considered reliable in the future.
I think he's forgotten the spirit of open source, where things were supposed to be "free as in beer"... If the guy wanted paid for his software, he shouldn't have published it under an open source license.
Advocates for open source spent decades trying to get corporations to use open source software, trying to convince them it was free and they should use it because they'd never have to pay for it. What will stunts like this get us? Will we end up going back to the dark days where corporations only used paid software, regardless of how bad it was, because they felt they couldn't trust open source projects? The days when open source was "fringe" and no one cared about it outside of a small group of overzealous nerds and Linux fanboys?
Bonzadog - 2 hours ago
"From what I read here, the guy sounds like a socialist who got greedy. It also sounds like everyone would be better off not relying on his code, since it obviously can't be considered reliable in the future.
I think he's forgotten the spirit of open source, where things were supposed to be "free as in beer"... If the guy wanted paid for his software, he shouldn't have published it under an open source license.
Advocates for open source spent decades trying to get corporations to use open source software, trying to convince them it was free and they should use it because they'd never have to pay for it. What will stunts like this get us? Will we end up going back to the dark days where corporations only used paid software, regardless of how bad it was, because they felt they couldn't trust open source projects? The days when open source was "fringe" and no one cared about it outside of a small group of overzealous nerds and Linux fanboys?"
Oh that American horror Word "Socialist"......but I agree with you. One cannot trust this person ever again and what is to stop this from happening again? Why should all software be free....some people put a lot of time and effort into their SW so a payment need not be frowned upon.
darkoverlordofdata - 19 hours ago
Thanks, Marak. I write open source software. Looks like I may have to start writing everything myself, if I can't reply on my fellow programmers.
Koroush - 17 hours ago
This is entirely understandable.I wrote about this exact phenomenon several years ago in an article entitled The Linux Experiment (mirrored on PCgamingwiki now).
Essentially, while the Free Open Source Software movement and its aims are laudable, its business model and overall approach are more like a religion than anything else. It ultimately results in a lot of very talented people becoming disillusioned - and poor - because they discover that total reliance on karma isn't actually a workable business model.
ThePhox1982 - 6 hours ago
This is precisely why the creator of node.js made Deno. When building apps with Node.js or nw.js you never know if now or anywhere down the road if a dependency you used has a dependency that is malicious or one of whether it's dependencies, dependencies, dependencies, dependency can be trusted. That is the issue with NPM, no matter how security focused you are it is IMPOSSIBLE for you to account for everything else down the line and even if a dependency you choose doesn't have any other dependencies now, doesn't mean they won't update it later, so unless you version lock every single dependency you use (assuming the dependencies created leaves old versions available), you will never know if your program will break or if your program will cause people harm, so therefor your program made with an NPM module will NEVER be secure, EVER. Frankly, with these sorts of things happening weekly, it's amazing anyone uses Node.js anymore and really, it's a security threat for anyone to use it!
Bonzadog - 2 hours ago
This seems to me to be a very nasty thing to do.....at least without a warning.
Perhaps OSS needs a rethink, since this could happen again.
mynameisgod - 2 hours ago
There was never a contract that said this guy is owed money by corporations. What part of free open source do you not understand? The dev is a certified ASS. This move hurt the open source community. Never in my life did I ever think I would take the side of corporations, until now.
HahTse - 36 minutes ago
If only there were some kind of license that would prevent the corpos from getting a free ride on FOSS...perhaps some kind of General, or Public License...
Seriously, it's like no one even remembers Richard Stallman.
TigerNinja - 16 minutes ago
I use these libraries in my projects that I build from the ground up. I'm not a corporation, thanks.
dimayv - 10 minutes ago
This is right action towards reforming or eliminating npm. It is not governed - namesquatting and low quality is all over the place. It is risky and was always risky to subscribe to deps autoupdates.
Devs should get off this hook and be responsible for the code they use in dependencies.
It has plenty of benefits https://twitter.com/DimaYv/status/1417482069257723912?s=20
TomTom55 - 4 minutes ago
Maybe he could just change their license to a copyleft one if he want people to contribute.