Connect with us

Press Release

Developer breaks thousands of apps by corrupting NPM libraries’ “colours” and “faker”

Published

on

Developer breaks thousands of apps by corrupting NPM libraries' "colours" and "faker"

Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been compromised, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an infinite loop that the creator of these libraries purposefully inserted.

Nearly 19,000 projects use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?
The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of applications that rely on these libraries.

Yesterday, users of well-known open-source projects, like Amazon’s Cloud Development Kit (aws-cdk), were astounded to see messages printed in gibberish on their consoles by their applications.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users initially believed that the “colours” and “faker” libraries used by these projects were compromised, much like how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two packages knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, printing the non-ASCII nonsensical character sequence repeatedly on the console.

Similar to that, faker’s version 6.6.6 was tampered with and posted to GitHub and npm.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 release of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large corporations and commercial users of open-source projects who heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free work to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as an opportunity to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz really end up?

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the process of accomplishing this, Swartz might have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can
Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the creator of ‘colors.js’ is upset because they weren’t paid [sic]… He then made the decision to print the American flag each time his library is loaded.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses using it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating since things might break.

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

The Terms of Service of [GitHub] state that you may not remove your own code from the site. WTF? This is an abduction. Software engineer Sergio Gómez retorted, “We need to start decentralising the hosting of free software source code.

“I’m hosting all of my projects on a GitLab private instance just in case anything like this happen to me. I have no idea what occurred. Never put your faith in any internet service provider, another user tweeted.

Marak yelled faker and colours, sabotaged a lot of projects, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising an unsafe version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.

Continue Reading

Press Release

Benefits of Using a Software Application for Doctor Online Reputation Management

Published

on

Benefits of Using a Software Application for Doctor Online Reputation Management

For this reason, a lot of people are beginning to use software to manage their internet business reputation. This is done to make sure they have all the information they require about a clinic, hospital, or other establishment before taking a person there. However, patients must use this software package in order for this to happen. to ensure that they are providing reviews and compliments for the technique they examined. All of these advantages and benefits come from using this monitoring software application for your clinical procedure or company.

It encourages the marketing of a facility or clinical practise.

The fact that it encourages the marketing of the medical practise or establishment is one of the most important reasons why using online reputation monitoring in the healthcare industry is a great idea. However, this will only help the company if you receive positive reviews, recommendations, and comments.

It promotes advertising and marketing because the software will make it much easier for people to find the practise online if they are looking for it. After that, they may choose if this is something they should consider employing or not. However, it will also include negative remarks and also evaluations.

letting your patients know how your practise is doing

When you employ physician internet reputation monitoring software, you can be sure that you are telling your clients the truth about your practise. enabling them to express exactly how they perceive the technique or clinic in their own words. And they believe that what they believe can change the approach to make it much better for the patients.

Because you aren’t the one waiting in the waiting room, this is a great concept. In addition, they might have access to information that you do not. Giving your people a voice in your strategy can be a smart idea because of this. When they create an online evaluation, they can accomplish this.

Make it easier for others to find you online.

Generally speaking, this benefit is the same as the marketing and advertising benefit. Due to the doctor’s online reputation monitoring software, specifically a Google search, people can find your approach online. making it simpler for new customers to find your approach.

However, they will also find this to be simpler if you receive a lot of negative feedback. This is why, if any of your current patients are leaving comments, you need to make sure they are all good. Regardless of whether there are techniques that can’t be found online, this can help or hurt your practise.

provides a mechanism for you to communicate with people

It gives you a way to communicate with people thanks to the medical online Amazeful reputation management software. Make sure potential customers can tell that you genuinely value your clients’ experiences in your waiting area and with your service.

The only thing to keep in mind is that, under any circumstances, you should never comment negatively on someone. The only thing that can determine whether you’ll get new patients or not is what you do.

enabling you to improve the flaws in your approach.

Continue Reading

Press Release

You become infected with RedLine malware through fake Windows 11 upgrade installers.

Published

on

You become infected with RedLine malware through fake Windows 11 upgrade installers.

Users of Windows 10 have begun to get phoney Windows 11 upgrade installers, tricking them into downloading and running RedLine stealer software.

The attacks took place at the same time that Microsoft announced the broad deployment phase for Windows 11. As a result, the attackers were well-prepared for this move and waited for the ideal time to maximise the effectiveness of their operation.

As the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information thief at the moment, RedLine stealer infections can have serious negative effects on the victims.

The initiative

The attackers exploited the “windows-upgraded.com” domain for the malware distribution portion of their campaign, according to HP experts who have detected this effort.

When a visitor selected the “Download Now” button on the website, a 1.5 MB ZIP archive with the name “Windows11InstallationAssistant.zip” was downloaded directly from a Discord CDN. The website looks to be an official Microsoft website.

Decompressing the file yields a folder with a size of 753MB and a remarkable compression ratio of 99.8%, which was made possible by the executable’s inclusion of padding.

An encoded parameter starts a PowerShell process when the victim runs the programme in the folder.

A.jpg file is then retrieved from a distant web server when a cmd.exe process with a 21-second timeout has finished running.

The DLL in this file is organised in reverse, maybe to avoid detection and analysis.

The first process then loads the DLL and swaps it out for the current thread context. That DLL is a RedLine stealer payload that uses a TCP connection to communicate with the command-and-control server to receive instructions on what malicious operations should be performed next on the recently compromised system.

Outlook
Nothing prevents the actors from registering a new domain and continuing their campaign even though the distribution site is currently unavailable. In fact, it’s quite likely that this is already taking place in nature.

Due to hardware compatibility issues, many Windows 10 customers are unable to download Windows 11 via the official distribution channels. Malware operators see this as a great opportunity to recruit new victims.

The strategies disclosed by HP are not surprising at this time, as threat actors are also use Windows’ legitimate update clients to execute malicious code on compromised Windows systems, as BleepingComputer discovered in January.

Remember that these risky websites are advertised through forum postings, posts on social media, and instant messages, so only rely on the official Windows upgrade system alerts.

Continue Reading

Press Release

Resources: Facebook will certainly introduce a suite of audio items on Monday, consisting of a Clubhouse-like app, a podcast exploration item linked to Spotify, and much more (Peter Kafka/Vox).

Published

on

suite of audio items

Sources: Facebook will announce a suite of audio products on Monday, including a Clubhouse-like app, a podcast discovery product connected to Spotify, and more (Peter Kafka/Vox)

Peter Kafka / Vox:
Sources: Facebook will announce a suite of audio products on Monday, including a Clubhouse-like app, a podcast discovery product connected to Spotify, and more  —  Announcements are coming on Monday, but some products won’t show up for a while.  —  Facebook wants you to start talking and listening, on Facebook.

Continue Reading

Trending