Developer Changes Open Source Libraries Corrupting Thousands of Applications

The developer of two widely used open-source libraries has intentionally added an update to brick the many thousands of applications that depend on those libraries. The libraries in question are colors.js and faker.js – Colors has more than 22.4 million downloads a week and faker has more than 2.8 million weekly downloads on npm.

The developer has added malignant commits to the libraries that result in the applications that depend on them printing gibberish on the console. The changes trigger an infinite loop that causes applications to display three lines of text with the LIBERTY LIBERTY LIBERTY, followed by a string of gibberish non-ASCII characters.

When users of the libraries started experiencing problems with their applications, many thought this was a malicious attack; however, it soon became apparent that this was a deliberate act by developer Marak Squires as a protest against increasing use of open source code by big businesses for their profit-making applications. Open source code is created by developers and made available for free. Squires took issue with the fact that those businesses and other commercial consumers are profiting from using open source code but are giving nothing back to the community, while the developers of the code are required to continue to maintain and update their code in their own time for no payment.

Squires explained in November 2020 that he would no longer continue to support big businesses such as Fortune 500 firms for free. Bleeping Computer, which first reported the story, found an old GitHub post from Squires saying “Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he says. “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”

The solution for anyone who has downloaded the sabotaged versions of the libraries is to downgrade to a version that does not contain the malignant commits such as colors.js version 1.4.0 and faker version 5.5.3. The versions that cause problems are the v1.4.44-liberty-2 release of colors.js and the v6.6.6 version of faker. It now appears that the latest version of color.js has had the issue fixed, but not yet faker, which has reverted to a previous version.

Such a move was unlikely not to have repercussions, one of which was GitHub temporarily suspending Squires on the platform, preventing him from accessing hundreds of public and private projects, although it appears that the suspension has been lifted.

It would appear that Squires sabotaged his own libraries to raise awareness of one of the problems with open source development. Developers and volunteers are spending a considerable amount of their time creating code for free and updating and fixing security issues and big businesses are heavily reliant on free code and the unpaid labor of developers and volunteers and are giving little, if anything, back to the community.

Author: NetSec Editor