Open source developer corrupts own libraries

Users of open source projects like Amazon's Cloud Development Kit were left flat-footed by the change

Image:
Users of open source projects like Amazon's Cloud Development Kit were left flat-footed by the change

faker.js and color.js started generating gibberish data after a developer update

A developer has reportedly purposefully corrupted a pair of open-source libraries, on GitHub and software registry NPM, with updates triggering infinite loops, leading to thousands of projects ceasing to function.

The open source libraries - Colors.js and Faker.js - started generating gibberish data after their developer Marak Squires allegedly intentionally introduced an infinite loop.

Colors and Faker are popular libraries among users. Colors.js has a userbase of around 23 million over a week, according to NPM, and faker.js clocks nearly 2.5 million weekly downloads.

According to Bleeping Computer, Squires added a 'new American flag module' to the latest version of colors.js and then pushed it to GitHub and NPM, triggering three lines of the words "LIBERTY LIBERTY LIBERTY" followed by a sequence of incomprehensible non-ASCII characters in a loop.

Similarly, Squires rolled out version 6.6.6 of faker.js, causing a similar destructive turn of events.

This left several users of popular open-source projects, such as Amazon's Cloud Development Kit, in shock as they saw their applications printing gibberish messages on their console.

Responding to the problem, Squires posted an update on GitHub to address the "zalgo issue," referring to the invalid text that the corrupt files generate.

"It's come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors," Squires wrote.

"Please know we are working right now to fix the situation and will have a resolution shortly."

Nearly two days after posting the corrupt update to faker.js, Squires tweeted that he had been suspended from GitHub, despite storing hundreds of projects on the site.

Color.js appears to be working now, although Faker.js is still affected; its users will need to downgrade to a previous version to use it again.

Squires motivations seem to date back to November 2020, when, he wrote in a GitHub post that he no longer wanted to support Fortune 500 and other companies for free.

"Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work.

"Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it."

Many developers have criticised Squires for not following the guidelines of open-source projects, and hurting other people whose projects depend on his libraries.

Open source projects are widely used and any actions that affect them can have far-reaching consequences. Attacks like Squires', and the Log4j vulnerability discovered last year, have thrown the trustworthiness of open source into question for many users.