Dev corrupts NPM libs ‘colors’ and ‘faker’, breaking thousands of apps

Dev corrupts NPM libs ‚Äėcolors‚Äô and ‚Äėfaker‚Äô, breaking thousands of apps


Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries,¬†printing gibberish data and breaking.

Some surmised if the NPM libraries had been compromised, but it turns out there’s much more to the story.

The developer of these libraries¬†intentionally introduced an infinite loop that bricked¬†thousands of projects¬†that depend on ‘colors and ‘faker’.¬†

The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

Open Source Revolution?

The developer behind popular open-source NPM libraries ‘colors’ (aka colors.js on GitHub) and ‘faker’ (aka ‘faker.js’ on GitHub)¬†intentionally introduced mischievous commits in them¬†that are impacting thousands of applications relying on these libraries.

Yesterday, users of popular open-source¬†projects, such as¬†Amazon’s Cloud Development Kit (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console.

These messages included the text ‘LIBERTY LIBERTY LIBERTY’ followed by a sequence of non-ASCII characters:

Users stunned on seeing garbage data
Users left stunned on seeing garbage data printed by ‘faker’ and ‘colors’ projects (GitHub)

Initially, users suspected that the libraries ‘colors’ and ‘faker’ used by these projects¬†were compromised [1, 2, 3], similar to how coa, rc, and ua-parser-js¬†libraries were hijacked last year by malicious actors.

But, in fact, it was the dev behind colors and faker who appears to have intentionally committed the code responsible for the major blunder, as seen by BleepingComputer.

The developer, named Marak¬†Squires added a “new American flag module” to colors.js library yesterday in version¬†v1.4.44-liberty-2 that he then¬†pushed to GitHub and npm.

colors.js mischievous GitHub acommit
colors.js mischievous commit made by ‘Marak’ (GitHub)

The infinite loop introduced in the code will keep running indefinitely;¬†printing¬†the gibberish¬†non-ASCII character sequence¬†endlessly on the console for any applications that use ‘colors.’

Likewise, a sabotaged version ‘6.6.6’ of faker was published to¬†GitHub and npm.

“It’s come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors,” mocked the developer.

“Please know we are working right now to fix the situation and will have a resolution shortly.”

Zalgo text refers to certain non-ASCII characters that appear glitchy.

The reason behind this mischief on the developer’s part appears to be retaliation‚ÄĒagainst mega-corporations¬†and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

In November 2020, Marak had warned that he will no longer be supporting the big corporations with his “free work” and that commercial entities should consider either forking the projects or compensating the dev with a yearly “six figure” salary.

“Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work. There isn’t much else to say,”¬†the developer previously wrote.

“Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

Interestingly, as of today, BleepingComputer¬†noticed that the README page for the ‘faker’ GitHub repo was also¬†modified by the developer to make¬†reference to¬†Aaron Swartz¬†by stating: “What really happened with Aaron Swartz?”

Swartz was an American programmer, entrepreneur, and renowned hacktivist who, following a legal battle, committed suicide.

In an effort to make information freely accessible to all, the hacktivist downloaded millions of journal articles from the JSTOR database present on the MIT campus network, allegedly by rotating his IP and MAC addresses repeatedly to get around the technological blocks put in place by JSTOR and MIT.

In the process of doing this, Swartz may have run afoul of the Computer Fraud and Abuse Act and faced criminal charges, with penalties of up to thirty-five years in prison.

Uncanny can of worms

Marak’s bold move has opened¬†up a can of worms¬†and¬†attracted mixed responses.

Some members of the open-source¬†software community have praised¬†the developer’s actions, while others are appalled by it.

“Apparently the author of ‘colors.js’¬†is angry for not being payed… So he decided to print the American flag each time his library is loaded… WTF,” tweeted one user.¬†

Some dubbed¬†this an instance of “yet another OSS¬†developer going rogue,” whereas InfoSec expert¬†VessOnSecurity called the action “irresponsible,” stating:

“If you have problems with business using your free code for free, don’t publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, ‘coz stuff might break.”

GitHub has reportedly suspended the developer’s account. And, that¬†too, has caused¬†mixed reactions:

NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz

‚ÄĒ marak (@marak) January 6, 2022

“Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code,” responded¬†software engineer¬†Sergio G√≥mez.

“Never know what happened but I‚Äôm hosting all of my projects on GitLab private instance just in cause things like this happening to me. Never trust any internet service provider,” tweeted another.

“Marak yeeted faker and colors, bricking tons of projects, and expected nothing to happen?” stated a developer named¬†Piero.

Note, Marak’s¬†surprising¬†move¬†follows¬†the recent¬†Log4j debacle that set the internet on fire.

Open-source library Log4j is used extensively in a vast range of Java applications, including those developed by corporations and commercial entities.

But, shortly after mass-exploitation of the Log4shell vulnerability, the maintainers of the open-source library worked without compensation over the holidays to patch the project, as more and more CVEs were being discovered.

Concerns followed as to how big businesses were used to “exploiting” open-source; by consuming it¬†incessantly but not giving back enough to support the unpaid volunteers who sustain these critical projects by giving up their free time.

Some also criticized the netizens¬†and bug bounty hunters hounding the Log4j maintainers who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc.” [1,¬†2, 3].

“The responses to the colors.js/faker.js author sabotaging their own packages are really telling about how many corporate developers think they are morally entitled to open source developers’ unpaid labour without contributing anything back,” wrote one Twitter user.

Time will tell what the future of open-source software entails, with regards to the OSS sustainability problem.

In the meantime, users of ‘colors’ and ‘faker’ NPM projects¬†should ensure they are not using an unsafe version. Downgrading to an earlier version of colors (e.g. 1.4.0) and faker (e.g.¬†5.5.3) is one solution.

Update 10:08 AM ET: Added tweet from @VessOnSecurity after publishing.

Update 11:24 AM ET: Added developer’s full name, Marak Squires.

Join the pack! Join 8000+ others registered users, and get chat, make groups, post updates and make friends around the world!
Read More

Leave a Reply

2 thoughts on “Dev corrupts NPM libs ‘colors’ and ‘faker’, breaking thousands of apps

  1. Aditya avatar
    · January 9, 2022 at 10:45 pm

    Should I get paid for my multiple contributions to faker (I don't think I should)? I've submitted several PR's for generating data all of which were accepted. Even back then the maintainer was barking about money…

    Honestly the project would be better off forked. He did not write this library entirely by himself, at this point I just see him as holding other committers contributions as hostage. It's a bad look, why would anyone want to deal with him after this stunt is beyond me.

  2. Aditya avatar

    Here's my $.02:

    Packages are literally remote code exec vulns in the hands of package authors. At the very least, it takes them under a minute to break your app, simply by deleting their package. Read the article. This is not the first time it's happened, and it's not going to be the last. [0]

    I write backends (mostly in PHP, although not exclusively), and I release a lot of my code under libre licenses. But I don't do packages. I don't want that level of control over other people's projects, it's scary as fuck. I have enough responsibilities as is.

    I have a mailing list for people who use my code, when an update is out they can download the .php files, 'require' them and test them before deployment, but never will I do packages.

    IMO, re-inventing the wheel sometimes is not the worst thing. Including code written by strangers that you haven't inspected and that they can remotely modify is. Stop using packages that are essentially wrappers around three-line Stack Overflow answers.

    In this case, the old-fashioned way is the better way, and you'll have a hard time convincing me otherwise.