Connect with us

Press Release

Developer breaks thousands of apps by corrupting NPM libraries’ “colours” and “faker”

Published

on

Developer breaks thousands of apps by corrupting NPM libraries' "colours" and "faker"

Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been compromised, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an infinite loop that the creator of these libraries purposefully inserted.

Nearly 19,000 projects use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?
The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of applications that rely on these libraries.

Yesterday, users of well-known open-source projects, like Amazon’s Cloud Development Kit (aws-cdk), were astounded to see messages printed in gibberish on their consoles by their applications.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users initially believed that the “colours” and “faker” libraries used by these projects were compromised, much like how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two packages knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, printing the non-ASCII nonsensical character sequence repeatedly on the console.

Similar to that, faker’s version 6.6.6 was tampered with and posted to GitHub and npm.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 release of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large corporations and commercial users of open-source projects who heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free work to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as an opportunity to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz really end up?

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the process of accomplishing this, Swartz might have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can
Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the creator of ‘colors.js’ is upset because they weren’t paid [sic]… He then made the decision to print the American flag each time his library is loaded.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses using it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating since things might break.

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

The Terms of Service of [GitHub] state that you may not remove your own code from the site. WTF? This is an abduction. Software engineer Sergio Gómez retorted, “We need to start decentralising the hosting of free software source code.

“I’m hosting all of my projects on a GitLab private instance just in case anything like this happen to me. I have no idea what occurred. Never put your faith in any internet service provider, another user tweeted.

Marak yelled faker and colours, sabotaged a lot of projects, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising an unsafe version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.

Continue Reading

Press Release

Review of Bleeping Computer

Published

on

Review of Bleeping Computer

ComboFix is a tool made by sUBs that checks your computer for known malware and tries to automatically remove infestations when it finds any. In addition to being able to get rid of a lot of the most popular and up-to-date malware, ComboFix also shows a report that skilled assistants may use to get rid of malware that isn’t already eradicated by the programme.

Please be aware that executing this programme without supervision may result in improper operation of your computer. Run this programme only at the direction of a knowledgeable assistant.

At the moment, Windows 8.1 is not compatible with this programme, just Windows 8!

The author is collecting PayPal donations from people who want to support his work. By selecting the following picture, you may contribute:

Continue Reading

Press Release

Microsoft provides a fix for persistent Outlook login issues.

Published

on

Microsoft provides a fix for persistent Outlook login issues.

Microsoft is attempting to resolve ongoing sign-in issues that are preventing certain users of Outlook for Microsoft 365 from accessing their accounts.

Users who attempt to enter into Outlook using their Outlook.com accounts or those who have already added the accounts to their Outlook profiles are affected by the login issues.

The users will get the following error messages instructing them to use a work or school account rather than signing in: “You are unable to log in using a personal account here. Use your account from work or school instead.”

Although Microsoft claims that the Outlook Team is working on a patch for this known problem, users can access their accounts using an official workaround until a fix is released.

“You can get around the problem by disabling Support Diagnostics, which disables the ability to contact support through the In App Help menu by choosing Contact Support. The fault is connected to how Outlook is authenticating for the diagnostics in some cases, “explained Microsoft.

You must enable the DisableSupportDiagnostics policy setting in Outlook to turn off support diagnostics and stop it from informing support services about client failure.

According to the Group Policy Administrative Templates Catalog, “This policy setting determines whether Outlook can communicate client information on failure to support services with the intent of diagnosing the issue or making the information available to support to help with the diagnosis/resolution of the issue and/or provide contextual error messaging to the user.”

A different flaw that can prohibit users from configuring Exchange Online mailboxes in Outlook for Windows is something Redmond claimed it was attempting to fix last week.

Early in October, the company started releasing a remedy for a different problem that has been causing Outlook for Microsoft 365 to freeze and crash after opening since August.

Continue Reading

Press Release

Rapyd, a “fintech-as-a-service” provider, to acquire Iceland-based Valitor, which establishes in-store and on the internet payments technologies, for $100M (Omar Faridi/Crowdfund Expert).

Published

on

acquire Iceland-based Valitor

Rapyd, a “fintech-as-a-service” provider, to acquire Iceland-based Valitor, which develops in-store and online payments technologies, for $100M (Omar Faridi/Crowdfund Insider)

Omar Faridi / Crowdfund Insider:
Rapyd, a “fintech-as-a-service” provider, to acquire Iceland-based Valitor, which develops in-store and online payments technologies, for $100M  —  – Twitter- Facebook- LinkedIn- Pinterest- Reddit- HackerNews- Telegram- Weibo- Email- Print- Subscribe

Continue Reading

Trending