“Colors” and “JS” are widely-used “no padding margin” (NPM) libraries, modules that are used in JavaScript and Node.js projects. Thousands of companies that use them have just learned that the hidden price of free software is that the open source developer may withdraw their consent at any time, for whatever reason might occur to them.
In this case, developer Marak Squires intentionally corrupted both of his NPM libraries so that they run in an endless loop. The incident was initially thought to be a hack, but political and personal messages included in the code and on related websites indicate that it was more of a disgruntled lashing-out.
Developer corrupts NPM libraries, possibly to draw attention to abuses of free software
Faker.js generates junk data for testing purposes, while colors.js is used to display a variety of text colors and styles. Each of these NPM libraries is used by thousands of projects.
The changes to the NPM libraries essentially broke anything that relied on them. They can still be used by reverting to older versions (faker.js version 5.5.3 and colors.js version 1.4.0). Faker.js is downloaded over two million times each week; colors.js is downloaded over 22 million times.
Bleeping Computer reported the story ahead of Github issuing a security advisory for both projects. Since the NPM libraries began generating gibberish text in an endless loop after recent updates, at first it was believed that they had been compromised by an attacker. Instead it turned out to be an open source developer who had decided to send a message.
Squires has yet to issue any sort of public statement on the incident, but several breadcrumbs of clues left around indicate that he was unhappy with so many for-profit companies making uncompensated use of his tools and that he may have also intended to spread a political message. The open source developer added an American flag module to the colors.js library along with the malign commit, and both of the NPM libraries print the word “LIBERTY” three times before they begin generating random characters.
Another element is a reference to Aaron Swartz, famed open source developer behind Creative Commons and RSS among other projects. This one-line reference has replaced the faker.js download description and the README file. Swartz became a source of conspiracy theories when he was charged with freely distributing documents from subscription-based academic database JSTOR and subsequently commited suicide in 2013. Some believe that Swartz was aggressively prosecuted for this relatively benign crime as part of a government campaign to pressure him into giving up information on contacts in Wikileaks or the hacker community, though there is no direct evidence of this.
Squires issued a tweet on January 6 saying that he was banned from Github, but his access appears to have been restored the next day. He posted an update to the colors.js page on January 8 referring to the glitches as the “Zalgo issue” and claiming to be working to fix it, but attached a picture of the characters from “It’s Always Sunny in Philadelphia” to make clear he was not serious. It is not clear if his account is again suspended, but all of his projects (including the corrupted ones) remain available.
Apparent prank highlights issues created by reliance on open source developers
Another breadcrumb left by Squires is a Faker.js forum post from November 2020, in which he declared “pay me or fork this” and decried companies of all sizes using his work for free. A January 2021 follow-up post claimed that he had found a corporation to fund “a month or two” worth of further development. A longer blog post in April 2021 fingered startup Retool, and accused them of reneging and copying his intellectual property. In retrospect, this particular line was revealing: “Even a small disruption in an open-source tool can cascade to millions of dollars of damages in lost time.”
There is a heavy reliance on open source software and libraries, and thus the open source developers behind them, in the business world. Responses to the actions taken by Squires have ranged from anger and outright declarations of entitlement to this free work (to the point of calling for punishments of open source developers that modify their projects in this way), to a cautious re-evaluation of the level to which organizations really should be relying on NPM libraries and similar tools that have this particular potential vulnerability of a project owner or contributor going rogue at any time.
Uriel Maimon, Senior Director of PerimeterX, elaborated on the potential damage of this very possibility: “Though the malicious intent was obviously visible due to the defacement and malfunctioning of the NPM libraries, what if instead of breaking the websites, the attacker used the library to steal PII or credit card information? How long would that have continued with no obvious change to the website before it became known? Months? Years? This underscores just how critical it is for modern websites to run real-time detection on their web applications in production to find out how third parties and the supply chain are affecting the integrity and security of their business.”
For their part, open source developers are kept busy not just with the functions and features of their products, but constant monitoring of potential security issues and occasionally having to scramble and work long hours to address them. This particular issue was likely inflamed by the recent emergence of the Log4J vulnerability, another incident involving a widely-used project maintained by a team of volunteer open source developers.