The first days of 2022 were tense for developers employing the libraries faker.js e colors.js in your projects. With open source code, both received a commit malicious software that causes systems that use them to behave abnormally. The most surprising part is this: it seems that both libraries were sabotaged by their own developer.
faker.js and colors.js are among the most popular libraries for NPM, the Node.js package manager. The first generates false data for tests and demonstrations, while the second allows working with different colors in the console.
It is estimated that the faker.js library registers an average of 2.8 million downloads per week, while colors.js has more than 20 million weekly downloads, in addition to being present in almost 19 thousand projects.
There you can get a sense of the damage that any malicious modification to these libraries can cause. And it did: Over the last week, several developers noticed that their projects were printing strange and unexpected messages to the console.
The findings of the case point out that the commit was presented as an update that adds “a new module of the American flag” in colors.js. In the case of faker.js library, version 6.6.6 is what triggered the abnormal behavior.
And what behavior is this? Such updates added a few lines of code to the libraries that make applications dependent on them display messages with the text “LIBERTY LIBERTY LIBERTY” and a sequence of strange characters.
In the search for explanations, some developers discovered that the readme file of the faker.js library was modified to display the following question: “what really happened to Aaron Swartz?”.
Looks like an attack, but it’s internal sabotage
At first glance, the problem appeared to be the result of a hacker’s action or a security breach. Surprisingly, the BleepingComputer later pointed out that the libraries’ developer himself, Marak Squires, was responsible for the malicious code.
Why would Squires sabotage his own projects? The motivations are unclear, but there is a clue: the BleepingComputer discovered that, in November 2020, the developer posted a message on GitHub (already deleted) saying that it would no longer support companies that appear on the list of the 500 largest companies in the world maintained by Fortune.
Based on this message, it is presumable that by injecting the code into the libraries, Squires was protesting what he considers abusive or disproportionate use (with no return) of open source software by large corporations.
The mention of Aaron Swartz reinforces the protest hypothesis. This is the name of an activist and developer who, among other things, participated in the creation of RSS feeds and helped create Reddit. Swartz died in 2013 by suicide, apparently because he could not withstand the pressure of investigations he was undergoing after being accused of breaking into an MIT digital library and illegally obtaining millions of academic articles from the institution.
the documentary The Internet Boy: The Aaron Swartz Story gives details about the activist’s trajectory.
On January 6th, two days after releasing the corrupted version of the faker.js package, Squires informou no Twitter, in a message with a hashtag that again mentions Aaron Swartz, that the previous library had been restored and that his access to GitHub had been suspended.
But apparently the suspension was temporary. The faker.js and colours.js changelogs suggest that the developer had later access to the service. Also, on January 8, he posted a message on GitHub from colours.js promising a solution to the “zalgo” (the strangely-characterized text displayed by affected systems).
Although the message had a sarcastic tone, the promise was kept. It appears that the current version of the colours.js library is not affected by the problem. But regarding faker.js, there are still no changes, which is why developers have been advised to downgrade to the previous version of the library, 5.5.3.
In addition to questions about the validity of this type of protest, the matter raised discussions about whether GitHub was right to block the developer’s access to his works on the platform, after all, the changes only involve own projects and maintained by him. Until the afternoon of this Monday (10), the service had not commented on the matter.