Developer sabotages open source modules colors.js and faker.js in NPM, affecting thousands of projects

Stop - Pixabay[German]There's a bigger issue looming in open source. Thousands of projects that have included the open source modules colors.js and faker.js via the npm package manager have now run into a serious problem. The developer of the two modules became frustration that mega-corporations and commercial users of open source projects are helping themselves to this free library without giving anything back. So he decided to commit code, that breaks the two modules.


Small classification

npm  (Node Package Manager) is a package manager for the JavaScript runtime environment Node.js. npm was programmed in 2010 by Isaac Schlueter as an employee of the Californian cloud platform provider Joyent. JavaScript packages are distributed via npm. Wikipedia notes that the npm repository, like any repository, is vulnerable to packages being posted with malicious code. If such packages are used via dependencies in a software project, various supply chain attacks can be carried out. In the past, attacks via typosquatting and social engineering have been reported.

The colors.js library is downloaded over 20 million times per week on npm alone and nearly 19,000 projects use this library. Faker.js is downloaded over 2.8 million times a week on npm and has over 2,500 dependencies. So there are a lot of projects based on these two components.

The developer is pissed

In November 2020, the developer of colors.js and faker.js, Marak Squires had warned that he would no longer support large companies with his "free work" and that commercial companies should consider either forking the projects or compensating the developer with a six-figure annual salary.

… and now it has banged

Must not have done much good, though, because over the weekend reports suddenly popped up on the web that the npm libraries that use the two aforementioned JS modules might be compromised. On GitHub there is an issue entry for AWS, which complains that when including the cdk (Amazon Development Kit) via pnpm in node.js 16.3.0 only the following output occurs:

cdk output


The following tweet picks up on this and also shows a screenshot of the issues. There they talk about a bug in colors.js.

Bug in colors.js

Colleagues at Bleeping Computer indicate in the following tweet that there was a sabotage on two js modules by the defeloper and describe the full story in this post.

npm bricked

t was not a hack or an attack, but the developer Marak Squires simply made a new commit and added an american flags module in v1.4.44-liberty-2 which generates glibbish output.

The same happened for faker.js and the developer posted here for colors.js the note "It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors", and that he is working on a solution.

The reason for this dodge on the part of the developer, according to Bleeping Computer, seems to be retaliation against megacorporations and commercial users of open source projects. The latter make extensive use of free and community-driven software, but give nothing back to the community, according to the developer.

The README for the GitHub repository with the modified faker.js library now includes the text "What really happened with Aaron Swartz?".

Aaron Hillel Swartz was an American programmer, entrepreneur, author, political movement organizer, and hacktivist; best known as the co-founder of Reddit and for his advocacy against Internet censorship. On July 19, 2011, Swartz was charged with illegally downloading 4.8 million scholarly articles from the journal archive JSTOR. He wanted to make these documents publicly available.

After Swartz turned the data over to JSTOR, the operator announced it would not pursue civil claims against Swartz. The case was pursued by prosecutor Stephen Heymann (Swartz was facing 35 years in prison). Before the start of the trial, which was scheduled for April 2013, Swartz, who had suffered from depression for years, committed suicide.

GitHub suspended the developer's account (see this tweet from Jan. 6, 2021), and NPM rolled back the libraries to their previous state so that dependent packages would be functionally reincorporated into projects. The whole action was a warning shot and sparked a discussion in the open source scene. The case shows how shaky many projects are – and a supply chain attack could send shockwaves through IT again. Basically, though, we don't need to discuss supply chain attacks, because the episode shows how broken the entire software development process is. You can read more details from our colleagues here, if needed.

In the meantime, this discussion about the person of the developer has raised up on Twitter. I can't say anything about this topic, especially since there are few web hits for the keywords raised there – in the dumbest case it's a person with the same name. It's also not relevant in the context of the article above, as it's more about "how do we keep FOSS in relation to multi-million dollar companies using it for free?" and "how can a single developer make thousands of node.js projects wobble?".

Cookies helps to fund this blog: Cookie settings

This entry was posted in Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *