Connect with us

Press Release

Developer breaks thousands of apps by corrupting NPM libraries’ “colours” and “faker”



Developer breaks thousands of apps by corrupting NPM libraries' "colours" and "faker"

Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been compromised, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an infinite loop that the creator of these libraries purposefully inserted.

Nearly 19,000 projects use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?
The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of applications that rely on these libraries.

Yesterday, users of well-known open-source projects, like Amazon’s Cloud Development Kit (aws-cdk), were astounded to see messages printed in gibberish on their consoles by their applications.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users initially believed that the “colours” and “faker” libraries used by these projects were compromised, much like how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two packages knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, printing the non-ASCII nonsensical character sequence repeatedly on the console.

Similar to that, faker’s version 6.6.6 was tampered with and posted to GitHub and npm.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 release of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large corporations and commercial users of open-source projects who heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free work to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as an opportunity to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz really end up?

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the process of accomplishing this, Swartz might have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can
Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the creator of ‘colors.js’ is upset because they weren’t paid [sic]… He then made the decision to print the American flag each time his library is loaded.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses using it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating since things might break.

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

The Terms of Service of [GitHub] state that you may not remove your own code from the site. WTF? This is an abduction. Software engineer Sergio Gómez retorted, “We need to start decentralising the hosting of free software source code.

“I’m hosting all of my projects on a GitLab private instance just in case anything like this happen to me. I have no idea what occurred. Never put your faith in any internet service provider, another user tweeted.

Marak yelled faker and colours, sabotaged a lot of projects, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising an unsafe version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.

Continue Reading

Press Release

Characteristics That Set Mega888 Apart From Other Online Casinos



Characteristics That Set Mega888 Apart From Other Online Casinos

The world of online gaming has never been the same since the launch of Mega888. It may be argued that the casino is the greatest online casino for all of your gambling needs because it has accomplished so much in such a short period of time.

There is a list of other online casinos, however the majority of them cannot be compared to Mega888. So what precisely sets Mega888 apart from other online casinos? We’ve put together a collection of justifications to aid you comprehend Mega888’s virtues.

The casino provides patrons with a wealth of amenities. So, these are the characteristics that set Mega888 apart from other online casinos in the gambling sector.

Quality of the Online Casino Overall
Prior to going any further, it is important to note the casino’s general level of excellence. One of the main reasons Mega888 is trustworthy is because it never takes advantage of or scams its customers.

The casino will take steps to protect every player from fraud of any kind, making Mega888 a trustworthy and respectable online casino. The Mega888 team is always developing new features to improve the playing experience.

The high-quality games that Mega888 has to offer are among its best features. The online casino’s selection of games goes well beyond simply having outstanding gameplay. The online casino is top-notch because the games have incredible graphics and the casinos provide outstanding customer service to all of their customers.

Mega888 Has Several Different Games.
The range of games available at Mega888 is one of the premium attractions. Mega888 provides an incredible selection of games, all of which are of the highest calibre. The online casino offers a wide variety of games, including shooting, fishing, and arcade games.

Additionally, if you still think that this is insufficient, players can choose from a number of table games. The developers at Mega888 are constantly working to provide fresh material for the players at the online casino, so whenever a player enters the site, they will find new games.

To keep the platform updated with new games each month, the online platform occasionally undergoes maintenance. Consequently, each time you play at the online casino, you will have a distinctive gaming experience. Players can currently choose from hundreds of slot games, numerous live table games, and much more.

Mega888’s security is impenetrable.
The security of the Mega888 is one of its key characteristics. All gamers at Mega888 are helped by the security system’s design, which protects them from danger or attacks from outside sources. However, this wouldn’t have been possible if Mega888 hadn’t given the security team a sizable sum of money from their annual budget.

This indicates that the online casino places a high priority on security and won’t compromise it for anything. There is no history of fraud or account hacking at the online casino’s security. It demonstrates that the online casino ensures the confidentiality of all player financial and personal information right from the start.

You won’t ever need to be concerned about a hack or scam involving your account. The online casino has a good reputation, and Mega888 has received approval from numerous organisations as a legitimate online gaming platform. Additionally, numerous licencing companies have endorsed the casino, demonstrating that it is a secure and safe location to gamble.

The two-factor authentication barrier that Mega888 has for players between the email and the Mega888 Apk is its best security feature. This means that it would be nearly impossible for any outside attacker to access a player’s account without going through two distinct layers of security.

Additionally, if a hacker tries to steal money from a transaction, the online casino’s management team will immediately transfer the money to the legitimate owner after learning about the behaviour.

The security system’s usage of a 128-bit encryption technique is another observable aspect. The casino maintains sensitive data using this technique, including user names, passwords for Mega888 accounts, and financial information.

The online casino’s high level of encryption prevents many hackers from accessing any accounts. Last but not least, the online casino has a firewall that prevents hackers from accessing the site.

Services for Instant Cash Out Using Mega888
Every online casino has its unique cash-out options, and given that these services are available online, it is crucial for the platform to guarantee that the casino offerings are reliable and prompt. Mega888 ensures that their services are simple to use.

All of Mega888’s services to its players appear to be seamless. All that is required of players is consistency and a willingness to take financial risks when playing at an online casino. The casino has remarkable and simple processes in place so that players may withdraw their money with little hassle.

You must get in touch with a dealer in order to collect your money. You have a number of options for doing that, some of which include WeChat, real-time chat, phone calls, or WhatsApp. Make sure that the choice you choose is practical for you since the dealers Mega888 offers are knowledgeable, competent, and professional.

Every request a player submits receives a response within 24 hours, and any questions they may have will be addressed as soon as possible. Players can retrieve their money in the quickest and safest possible manner in this fashion.

Last Words
Overall, Mega888 might have a lot of characteristics that make it a casino you definitely want to play at. However, before you take the major step of gambling with your own money, it’s crucial to understand more about the games and their rules.

Continue Reading

Press Release

PHP source code was given backdoors thanks to a compromise of the Git server.



PHP source code was given backdoors thanks to a compromise of the Git server.

The official PHP Git repository was breached in the most recent software supply chain attack, and the code base was modified.

Yesterday, two malicious commits were uploaded to the PHP team’s server, which hosts the php-src Git repository.

Threat actors had verified these commits as if Rasmus Lerdorf and Nikita Popov, two well-known PHP developers and maintainers, had made them.

PHP Git server has an RCE backdoor installed.
Yesterday, two malicious contributions were uploaded to the official PHP Git repository in an effort to corrupt the PHP code base.

The event is concerning because 79% of websites on the Internet still use PHP as their server-side programming language.

The attackers released a mystery update upstream called “repair typo” in the malicious commits [1, 2] that BleepingComputer saw under the guise of a little typographical patch.

Looking closer at the newly added line 370, where the zend eval string function is used, reveals that the code in fact creates a backdoor for quickly achieving Remote Code Execution (RCE) on a website using this hacked version of PHP.

Developer Jake Birchall for PHP responded to Michael Voek, who had discovered the error originally, with the explanation, “This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.”

Nikita Popov, a PHP maintainer, explained the following to us via email:

“During a regular post-commit code review a few hours after the first commit, it was discovered. The modifications were immediately undone because they were blatantly malicious “According to Popov, BleepingComputer.

The malicious commit was also done under Rasmus Lerdorf’s identity, the person who created PHP.

But that should come as no surprise because with source code version control systems like Git, it is possible to sign off a change locally under a different identity [1, 2] and then upload the spoof commit to the remote Git server, where it appears to have been signed off by the person listed on it.

According to PHP maintainers, this malicious activity originated from the compromised server rather than from the compromise of an individual’s Git account, despite the fact that a thorough investigation of the incident is still ongoing.

The official PHP codebase has been moved to GitHub.
Following this event, the PHP maintainers have chosen to move the official PHP source code repository to GitHub as a precaution.

We’ve made the decision to stop running the server even though our investigation is still ongoing since we believe that keeping our own git infrastructure is an unnecessary security risk.

Popov stated that the GitHub repositories, which were previously merely mirrors, “would become canonical.”

After this modification, Popov demands that any future code updates be uploaded directly to GitHub rather than the site.

Anyone who wants to contribute to the PHP project must now join the PHP organisation on GitHub.

The same security alert includes advice for doing that.

You would need to have two-factor authentication (2FA) set on your GitHub account in order to join the organisation.

Beyond the two commits that were mentioned, “We’re investigating the repositories for any corruption,” says Popov.

In order to learn the full scope of this attack and whether any code was transmitted downstream before the fraudulent commits were discovered, BleepingComputer contacted Popov and the PHP security team.

Although it might have been cloned or forked in the interim, no tags or release artefacts reflect the changes.

Popov added to BleepingComputer, “The changes were in the development branch for PHP 8.1, which is scheduled for release at the end of the year.

The PHP team has confirmed to BleepingComputer that they want to decommission their git server ultimately and switch to GitHub permanently in the coming days.

Continue Reading

Press Release

According to an internally sourced Facebook post, Rob LathERN, CHIEF OF ADVERTISING INTEGRITY who handled ads around sensitive subjects, left the company on Dec. 30 (KATIE PAUL/REUTERS).



ads around sensitive subjects

Internal Facebook post indicates Rob Leathern, chief of advertising integrity who handled ad products around sensitive subjects, left the company on December 30  —  (Reuters) – Facebook Inc’s chief of advertising integrity, who handled the company’s ad products around sensitive subjects …

Continue Reading