Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.
Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'. The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents. # Open Source Revolution? The developer behind popular open-source NPM libraries 'colors' (aka colors.js on GitHub) and 'faker' (aka 'faker.js' on GitHub) intentionally introduced mischievous commits in them that are impacting thousands of applications relying on these libraries. Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console. These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters Initially, users suspected that the libraries 'colors' and 'faker' used by these projects were compromised [1, 2, 3], similar to how coa, rc, and ua-parser-js libraries were hijacked last year by malicious actors. But, in fact, it was the dev behind colors and faker who appears to have intentionally committed the code responsible for the major blunder, as seen by BleepingComputer. The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm. The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.' Likewise, a sabotaged version '6.6.6' of faker was published to GitHub and npm. "It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors," mocked the developer. "Please know we are working right now to fix the situation and will have a resolution shortly." Zalgo text refers to certain non-ASCII characters that appear glitchy. The reason behind this mischief on the developer's part appears to be retaliation—against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community. In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary. "Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn't much else to say," the developer previously wrote. "Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it. Interestingly, as of today, BleepingComputer noticed that the README page for the 'faker' GitHub repo was also modified by the developer to make reference to Aaron Swartz by stating: "What really happened with Aaron Swartz?" Swartz was an American programmer, entrepreneur, and renowned hacktivist who, following a legal battle, committed suicide. In an effort to make information freely accessible to all, the hacktivist downloaded millions of journal articles from the JSTOR database present on the MIT campus network, allegedly by rotating his IP and MAC addresses repeatedly to get around the technological blocks put in place by JSTOR and MIT. In the process of doing this, Swartz may have run afoul of the Computer Fraud and Abuse Act and faced criminal charges, with penalties of up to thirty-five years in prison. [...] https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ L'articolo continua citando (in modo abbastanza capzioso) passaggi di un dibattito via twitter che mostra sviluppatori dall'imbarazzante (in)coscienza politica. In realtà, su Twitter ed ancora di più sul Fediverse, la maggior parte degli sviluppatori sostenevano l'azione di protesta di Marak Squires. Personalmente ritengo (e spero) che questo tipo di cyber-proteste, creative e non violente, diventerà la norma: nessun sistema informatico intrinsecamente fragile (come quelli basati su NPM) ne sarà esente. Giacomo _______________________________________________ nexa mailing list [email protected] https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
