Users of the widely used open libraries ‘colors’ and ‘faker’ were taken aback when their apps, which used these libraries, printed nonsensical data and crashed. Some speculated that NPM libraries had been hacked, but there’s much more to the picture. Thousands of applications based on ‘colors’ and ‘faker’ were bricked by the developer of these libraries, who purposefully implemented an infinite loop.
On NPM alone, the colors library receives more than 20 million weekly downloads and is used by around 19,000 projects. On the other hand, ‘faker‘ has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.
The developer of NPM libraries ‘colors’ (colors.js on GitHub) and ‘faker’ (faker.js on GitHub) purposefully put malicious changes in them, affecting millions of apps that rely on these libraries. Users of major open-source projects, such as Amazon’s Cloud Development Kit (aws-cdk), have recently been taken aback when their apps began printing gibberish messages on their consoles. These messages contained the text ‘LIBERTY LIBERTY LIBERTY’ followed by a string of non-ASCII characters.
Users first assumed that the ‘colors’ and ‘faker’ libraries used by these projects had been hacked. However, it appears that the developer behind colors and faker was the one who purposefully committed the code that resulted in the significant error. In version v1.4.44-liberty-2, the developer, named ‘Marak,’ introduced a “new American flag module” to the colors.js package, which they subsequently published to GitHub and npm.
For any apps that use ‘colors,’ the infinite loop generated in the code will remain running indefinitely, outputting the nonsense non-ASCII character sequence repeatedly on the console. Faker’s corrupted version ‘6.6.6’ was also released via GitHub and npm. “It’s come to our attention that there is a zalgo bug in the v1.4.44-liberty-2 release of colors,” mocked the developer. “Please know we are working right now to fix the situation and will have a resolution shortly.” Certain non-ASCII characters that seem glitchy are referred to as Zalgo text.
The developer’s purpose appears to be retaliation—against mega-corporations and commercial customers of open-source projects that heavily rely on free and community-powered software but, as per the developer, don’t contribute back to the community. Some in the open-source software community have applauded the developer’s efforts, while others have been surprised. GitHub has suspended the developer’s account.
In terms of the OSS sustainability problem, only time will tell what the future of open-source software involves. Meanwhile, users of the ‘colors’ and ‘faker’ NPM projects should ensure they aren’t running an unsafe version. One solution is to downgrade to an older version of colors (v1.4.0) and faker (v5.5.3).