Connect with us

Press Release

Developer breaks thousands of apps by corrupting NPM libraries’ “colours” and “faker”

Published

on

Developer breaks thousands of apps by corrupting NPM libraries' "colours" and "faker"

Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been compromised, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an infinite loop that the creator of these libraries purposefully inserted.

Nearly 19,000 projects use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?
The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of applications that rely on these libraries.

Yesterday, users of well-known open-source projects, like Amazon’s Cloud Development Kit (aws-cdk), were astounded to see messages printed in gibberish on their consoles by their applications.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users initially believed that the “colours” and “faker” libraries used by these projects were compromised, much like how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two packages knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, printing the non-ASCII nonsensical character sequence repeatedly on the console.

Similar to that, faker’s version 6.6.6 was tampered with and posted to GitHub and npm.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 release of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large corporations and commercial users of open-source projects who heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free work to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as an opportunity to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz really end up?

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the process of accomplishing this, Swartz might have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can
Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the creator of ‘colors.js’ is upset because they weren’t paid [sic]… He then made the decision to print the American flag each time his library is loaded.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses using it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating since things might break.

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

The Terms of Service of [GitHub] state that you may not remove your own code from the site. WTF? This is an abduction. Software engineer Sergio Gómez retorted, “We need to start decentralising the hosting of free software source code.

“I’m hosting all of my projects on a GitLab private instance just in case anything like this happen to me. I have no idea what occurred. Never put your faith in any internet service provider, another user tweeted.

Marak yelled faker and colours, sabotaged a lot of projects, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; fixes, docs, CVE, replies to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising an unsafe version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.

Continue Reading

Press Release

Working RARBG Proxies & Mirrors Websites 2022

Published

on

Working RARBG Proxies & Mirrors Websites 2022

RARBG Gush is one of the top torrent sites to take into consideration if you want to download the most recent movies, TV series, video games, music, ebooks, software, etc. The gush network is quite busy, and numerous torrent files related to multimedia, apps, and novels are uploaded to the network every minute, providing free access to all the expensive goods. It is really frustrating if you use the RARBG gush network and suddenly discovered that you can’t access its primary domain https://rarbg.to any longer.

Unable to access RARBG? Are you looking for alternate ways to get RARBG? When RARBG is blocked, there are a variety of ways to access it. However, one of the most practical websites is RARBG Proxy & RARBG Mirror. You’ll have to agree with me when I say that it’s difficult to discover working RARBG proxies. Fortunately, a number of RARBG Proxies and Mirror websites have been conceived up by RARBG employees and other volunteers. to assist its users in accessing the Gush website. The content, structure, and updates on the RARBG Mirrors will be identical. The only difference is that RARBG Mirrors use various domain names.

I’ll be providing you with a list of RARGBG proxy and mirror websites in this brief essay. The list will frequently be updated with the most recent mirrors and proxies.

These RARBG mirror and proxy websites were created and are maintained by RARBG staff or volunteers who want to provide unrestricted access to RARBG to everyone worldwide. Customers can browse RARBG content and use its functions even if the primary website is blocked in their internet connection by using any of these RARBG proxy/mirror websites. The top 50 RARBG proxy/mirror websites are listed below.

To access the original content of the RARBG website, look through these RARBG options. Please save this article because we will be adding more RARGB proxy and mirror sites as we discover them. Additionally, if you want to learn about additional noteworthy websites from where you may download and install paid items for free or watch movies online, follow the links provided below.

How to Clean Up RARBG
If your ISP, workplace, school, or institution has blocked the main website, you can easily unblock it using the techniques indicated below.

Web browser TOR
We can communicate privately with the help of the group of networks known as TOR (The Onion Router). That means you can use this browser to clear any kind of restricted website.

TOR Internet Browser VPN Download VPN is a more safer and more secure method. Because the proxy site lacks safety and security. They are easily traceable. However, VPNs aren’t.
Several well-known VPNs are Nord VPN, Cyber Ghost, Tor Guard, Express VPN, Pure VPN, and others. Potentially The Pirate Bay The first name that comes to mind when referring to Gush is The Pirate Bay. TPB is described as “the galaxy’s most resilient BitTorrent site” despite lately avoiding numerous closures and domain name seizures. among the top torrent websites.

TPB is presently the most popular ideal gush index on the planet, holding a superb global Alexa rating of 131. TPB is well-known for its straightforward user interface, wide variety of gushes, and dearth of advertisements. Of course, TPB is deserving of being a great option and a follower of rarbg. Pirate Bay Redirect

2. YTS.am
The third best torrent website on the list is YTS.ag. In comparison to TPB and RarBG, YTS.ag mostly focuses on movies. Many people consider the YTS.AG gushes to be of excellent quality and also legitimate. Thanks to its slick user interface, YTS.ag is very impressive. If you prefer watching movies in high definition (HD), 720p, 1080p, and even 3D, YTS.ag should be at the top of your list. The top torrenting site is Yt.

Lime Torrents 3.
Never, ever overlook this site when searching for torrents. The best torrenting website, limetorrens.cc, is well renowned for its remarkable data source size. best replacement for rarbg Additionally, it is highly valued because the consistency of reliable information is enough to keep visitors coming back. One of the torrent download sites with the largest databases is LimeTorrents.

4. EZTV
The finest appropriate torrenting websites are TPB and rarbg, which are managed by the same group as EZTV. After KickAss was shut down, the group created their own torrent website, EZTV.ag, which is less aesthetically pleasing than other popular torrent websites and features advertising links next to the major options. Its attractiveness may be due to its capacity to regularly refresh its material.

5. Downloads of torrents
TorrentDownloads is a great option because of its huge database and high-quality downloads. Gush Downloads is both the best torrent site and a trusted location for many people thanks to its abundance of healthy torrents and phenomenal download speed.

6. 1337X
Additionally, 1337X holds a prominent position on the list. A full makeover of the 1337X website, which was launched in 2007, increased enter traffic significantly. Due to its wide selection of activities, games, and TV, 1337X is a successful torrent site that does everything correctly.

1337X is suitable for folks who prefer older or less well-known gushes. The best gush site is 1337x. They might not have as many torrents in their database as some other sites, but they probably do.

Continue Reading

Press Release

Hackers target Russian businesses with ransomware that was disclosed by Conti.

Published

on

Hackers target Russian businesses

Using the Conti ransomware’s stolen source code, a hacking group produced their own ransomware to be used in cyberattacks against Russian organisations.

We frequently hear about ransomware attacks that target businesses and encrypt data, but we hardly ever hear about assaults on Russian organisations.

This absence of attacks is a result of Russian hackers’ widespread conviction that if they do not target Russian targets, then the nation’s law enforcement will ignore attacks on other nations.

The situation has changed, though, as the hacking gang NB65 is now launching ransomware assaults against Russian firms.

Russian targets for ransomware
An organisation known as NB65 has been hacking Russian organisations for the past month, collecting their data, and exposing it online while claiming responsibility for the attacks on Russia’s invasion of Ukraine.

The document management company Tensor, the Russian space agency Roscosmos, and the state-owned Russian Television and Radio broadcaster VGTRK are among the Russian organisations that the hacking group claims to have attacked.

The attack on VGTRK was particularly noteworthy because it is claimed that 786.2 GB of data, including 900,000 emails and 4,000 files, were stolen and then released on the DDoS Secrets website.

The NB65 hackers have recently adopted a new strategy and, since the end of March, have been targeting Russian enterprises with ransomware attacks.

This is made even more intriguing by the fact that the hacker organisation used the Conti Ransomware operation’s leaked source code to construct their own ransomware. Conti is a group of Russian threat actors that forbid their members from assaulting targets in Russia.

A security researcher released 170,000 internal chat conversations and the source code for Conti’s operation after they sided with Russia in the war on Ukraine.

Threat researcher Tom Malka originally alerted BleepingComputer to NB65’s activities, but we were unable to locate a ransomware sample, and the hacking collective was unable to offer one either.

But yesterday, a sample of the modified Conti ransomware executable used by the NB65 was released to VirusTotal, giving us a look at how it operates.

This sample is recognised as Conti by almost all antivirus vendors on VirusTotal, and Intezer Analyze found that it shares 66% of the code with other Conti ransomware strains.

The ransomware developed by NB65 would append the when encrypting files, according to a test by BleepingComputer.

The names of the encrypted files have an NB65 extension.

Throughout the encrypted device, the ransomware will also produce ransom notes with the filename R3ADM3.txt. The threat actors will blame President Vladimir Putin for invading Ukraine for the cyberattack.

“We keep a careful eye on things. War crimes should not have been committed by your president. Look no further than Vladimir Putin for someone to blame for your current condition “reads the NB65 ransomware message displayed below.

In order to prevent existing decryptors from functioning, the NB65 hacker gang adjusted its encryptor for each victim based on the first Conti source code leak, according to a spokesperson who spoke to BleepingComputer.

“It has been changed such that no decryptor created by Conti will function. A random key is generated for each deployment depending on a few variables that we alter for each target, “According to NB65, BleepingComputer.

Without speaking to us, there is truly no way to decode.

NB65 informed us that they did not anticipate hearing from their victims at this time because they have not received any correspondence from them.

We’ll let NB65’s justifications for assaulting Russian groups speak for themselves.

Continue Reading

Press Release

ADOBE ENDS SUPPORT FOR FLASH TODAY AND WILL START BLOCKING FLASH CONTENT FROM JANUARY 12; MAJOR BROWSERS WILL BLOCK FLASH CONTENT FROM JAN. 1 (T.C. SOTTEK/THE VERGE)

Published

on

BLOCKING FLASH CONTENT FROM

Adobe ends support for Flash today and will start blocking Flash content from January 12; major browsers will block Flash content from Jan. 1  —  It’s the end of the line  —  Adobe scheduled its famous Flash software to end on December 31st, 2020, and today is the day.

Continue Reading

Trending