Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been compromised, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an infinite loop that the creator of these libraries purposefully inserted.

Nearly 19,000 projects use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?
The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of applications that rely on these libraries.

Yesterday, users of well-known open-source projects, like Amazon’s Cloud Development Kit (aws-cdk), were astounded to see messages printed in gibberish on their consoles by their applications.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users initially believed that the “colours” and “faker” libraries used by these projects were compromised, much like how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two packages knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, printing the non-ASCII nonsensical character sequence repeatedly on the console.

Similar to that, faker’s version 6.6.6 was tampered with and posted to GitHub and npm.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 release of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large corporations and commercial users of open-source projects who heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free work to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as an opportunity to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz really end up?

”

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the process of accomplishing this, Swartz might have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can
Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the creator of ‘colors.js’ is upset because they weren’t paid [sic]… He then made the decision to print the American flag each time his library is loaded.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses using it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating since things might break.

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

The Terms of Service of [GitHub] state that you may not remove your own code from the site. WTF? This is an abduction. Software engineer Sergio Gómez retorted, “We need to start decentralising the hosting of free software source code.

“I’m hosting all of my projects on a GitLab private instance just in case anything like this happen to me. I have no idea what occurred. Never put your faith in any internet service provider, another user tweeted.

Marak yelled faker and colours, sabotaged a lot of projects, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising an unsafe version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.