Users of the popular open source “colors” and “faker” libraries were stunned after seeing their apps, using those libraries, printing gibberish data, and crashing.
Some have speculated that the NPM libraries were compromised, but it turns out there’s a lot more to the story.
The developer of these libraries intentionally introduced an infinite loop that blocked thousands of projects which depend on “colors and” false. ”
the colors the library receives more 20 million weekly downloads on npm only, and has nearly 19,000 projects dependent on it. While, forger receives over 2.8 million weekly downloads on npm and has over 2,500 dependents.
Open Source Revolution?
The developer behind the popular open source “colors” NPM libraries (aka colors.js on GitHub) and ‘faker’ (aka ‘faker.js’ on GitHub) intentionally introduced malicious commits that impact thousands of applications that rely on these libraries.
Yesterday, users of popular open source projects, such as Amazon Cloud Development Kit (aws-cdk) were amazed to see their applications printing gibberish messages to their console.
These messages included the text “LIBERTY LIBERTY LIBERTY” followed by a sequence of non-ASCII characters:
Initially, users suspected that the “color” and “false” libraries used by these projects were compromised. [1, 2, 3], similar to how the coa, rc, and ua-parser-js libraries were hijacked last year by malicious actors.
But, in fact, it was the developer behind colors and forger who seems to have intentionally engaged the code responsible for the major error, as seen by BleepingComputer.
The developer, named Marak Squires, added a “new American flag module” to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm.
the infinite loop introduced in the code will continue to function indefinitely; Print the non-ASCII gibberish character sequence indefinitely on the console for all applications that use “colors.”
Likewise, a sabotaged version “6.6.6” of forger was posted at GitHub and npm.
“It has been brought to our attention that there is a zalgo bug in the v1.4.44-liberty-2 version of the colors,” mocked the developer.
“Please know that we are currently working to correct the situation and that we will have a resolution shortly.”
Zalgo text refers to some non-ASCII characters that look glitchy.
The reason for this mischief on the part of the developer appears to be retaliation – against mega-companies and commercial consumers of open source projects that rely heavily on free and community-powered software but which, according to the developer, do not. not return to the community.
In November 2020, Marak warned that he would no longer support large companies with his “free labor” and that business entities should consider forking projects or compensating the developer with a “six-figure” annual salary.
“With all due respect, I will no longer be supporting the Fortune 500 (and other smaller companies) with my free work. There isn’t much else to say,” the developer said. previously. wrote.
“Take this as an opportunity to send me a six-figure annual contract or fork the project and have someone else work on it.
Interestingly, to date, BleepingComputer has noticed that the READ ME The “fake” GitHub repository page has also been modified by the developer to refer to Aaron Swartz stating: “What really happened with Aaron Swartz? “
Swartz was a renowned American programmer, entrepreneur and hacktivist who, following a legal battle, committed suicide.
In an effort to make information freely accessible to everyone, the hacktivist downloaded millions of newspaper articles from the JSTOR database on the MIT campus network, allegedly by alternating his IP addresses and MAC on several occasions to bypass technological blockages put in place by JSTOR and MIT.
In doing so, Swartz may have broken the law on fraud and computer abuse and faced criminal charges, with sentences of up to thirty-five years in prison.
Strange box of worms
Marak’s bold move opened a box of verses and drew mixed responses.
Some in the open source software community have praised the developer’s actions, while others are dismayed.
“Apparently the author of ‘colors.js’ is angry about not getting paid … So he decided to print the American flag every time his library loads … WTF”, tweeted an user.
Some double this is an example of “yet another rogue OSS developer”, while the InfoSec expert VessOnSecurity called the action “irresponsible, “by stating:
“If you’re having trouble with businesses using your free code for free, don’t post free code. By sabotaging your own widely used content, you hurt not only big business, but everyone who uses it. could break. “
GitHub reportedly suspended the developer’s account. And that too caused mixed reactions:
NPM reverted to a previous version of the faker.js package and Github suspended my access to all public and private projects. I have hundreds of projects. #AaronSwartz pic.twitter.com/zFddwn631S
– marak (@marak) January 6, 2022
“Remove your own code from [GitHub] is a violation of their terms of use? WTF? It’s kidnapping. We need to start decentralizing the hosting of free software source code “, responded software engineer Sergio Gómez.
“I never know what happened, but I host all of my projects on the private GitLab instance just because things like this happen to me. Never trust an ISP,” tweeted another one.
“Marak faked the colors, cobbled together tons of projects and expected nothing to happen?” ” declared a developer named Piero.
Note that Marak’s surprising move follows the recent Log4j debacle that set the internet on fire.
The Log4j open source library is widely used in a wide range of Java applications, including those developed by companies and commercial entities.
But, shortly after the massive exploitation of the Log4shell vulnerability, the maintainers of the open source library worked without compensation over the holidays to fix the project, as more and more CVEs were discovered.
Concerns followed as to how large companies were used to “operator“open-source; consuming it over and over but not giving enough to support the unpaid volunteers who support these critical projects with their free time.
Some have also criticized internet users and bug hunters who track down Log4j maintainers who “were already working sleepless on mitigation measures; patches, documents, CVEs, responses to inquiries, etc.” [1, 2, 3].
“Responses to the author of colors.js / faker.js sabotaging their own packages really indicate how many enterprise developers feel they have a moral right to unpaid open source developer work without giving anything back,” wrote a Twitter user.
Time will tell what the future of free software entails, in terms of OSS sustainability issue.
In the meantime, users of “color” and “false” NPM projects should ensure that they are not using an unsafe version. Downgrading to an older version of Colors (eg 1.4.0) and a fake (eg 5.5.3) is a workaround.
Update 10:08 am ET: Added tweet from @VessOnSecurity after post.
Update 11:24 a.m.ET: Added full developer name, Marak Squires.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/RAYKQSD7QNNLDPYDHATDVL6FHU.jpg)