Fri. Jan 21st, 2022

A developer appears to have intentionally corrupted a few open source libraries on GitHub and software registry npm – “faker.js” and “colors.js” – on which thousands of users depend, rendering any project containing these libraries useless, as stated by means of beeping computer. Although color.js appears to have been updated to a working version, faker.js still appears to be affected, but the issue can be resolved by downgrading to an earlier version (5.5.3).

beeping computer discovered that the developer of these two libraries, Marak Squires, introduced a malicious commit (a file revision on GitHub) to colors.js that “adds a new US flag module”, as well as rolled out version 6.6.6 of faker.js, causing the same destructive run. of affairs is caused. The sabotaged versions cause applications to output an infinite number of strange letters and symbols, starting with three lines of text that reads “LIBERTY LIBERTY LIBERTY”.

Even more curiously, the faker.js readme file has also been changed to “What really happened to Aaron Swartz?” Swartz was a prominent developer who helped establish Creative Commons, RSS, and Reddit. In 2011, Swartz was charged with stealing documents from the academic database JSTOR with the aim of making them freely available, and later committed suicide in 2013. Squires’ mention of Swartz could potentially refer to conspiracy theories surrounding his death.

As indicated by beeping computerA number of users — including some who worked with Amazon’s Cloud Development Kit — turned to GitHub’s bug tracking system to voice their concerns about the issue. And with faker.js seeing nearly 2.5 million weekly downloads on npm, and color.js about 22.4 million downloads a week, the effects of the corruption are likely to be far-reaching. For context, faker.js generates fake data for demos, color.js adds colors to javascript consoles.

In response to the issue, Squires posted an update on GitHub to address the “zalgo issue”, which refers to the glitchy text the corrupt files produce. “We’ve noticed that there is a Zalgo bug in the v1.4.44-liberty-2 release of colors,” Squires writes in what is presumably sarcastic. “Please know that we are currently working to resolve the situation and will have a resolution shortly.”

Two days after pushing the corrupt update to faker.js, Squires later tweeted that he had been suspended from GitHub, despite having hundreds of projects stored on the site. However, judging by the changelog on both faker.js and colors.js, it appears that his suspension has already been lifted. Squires introduced the faker.js commit on January 4, was banned on January 6, and did not introduce the “liberty” version of colors.js until January 7. It’s unclear if Squires’ account has been banned again. The edge contacted GitHub with a request for comment, but didn’t hear back immediately.

However, the story does not end there. beeping computer dug up one of Squires’ posts on GitHub from November 2020, in which he states that he no longer wants to do free work. “With respect, I will no longer be supporting Fortune 500s (and other smaller companies) with my free work,” he says. “Take this as an opportunity to send me a six-figure year contract or split the project and have someone else work on it.”

Squires’ bold move draws attention to the moral – and financial – dilemma of open source development, which was likely the purpose of his actions. A huge number of websites, software and apps rely on open source developers to create essential tools and components – all for free. It’s the same problem that causes unpaid developers to work tirelessly to fix the security vulnerabilities in their open source software, such as the 2014 Heartbleed scare that hit OpenSSL and the more recent Log4Shell vulnerability found in log4j that caused volunteers to scramble to find it. to solve.

Leave a Reply

Your email address will not be published. Required fields are marked *