JavaScript dev deliberately screws up own popular npm packages to make a point of some sort

Faker.js and colors.js sabotaged by maker

Updated Two popular open-source packages were recently sabotaged with mischievous commits, creating confusion among those using the software and exacerbating concerns about the fragility of the open-source software supply chain.

The npm packages, faker.js and colors.js, were not hijacked by outsiders, as has been known to happen; rather their creator added code to the software libraries that made them malfunction.

Three days ago, developer Marak Squires added a "new American flag module" to colors.js, a module to simplify printing colored text in the developer console. The new code printed the word "LIBERTY" multiple times and an ASCII-flag to the developer console and went into an endless loop.

Six days ago, faker.js, used for generating fake data for API testing, also received an unexpected update: it removed the code, added the commit message "endgame," and replaced the ReadMe file with the question, "What really happened with Aaron Swartz?"

Swartz, something of an internet legend for his advocacy and tragedy, killed himself almost a decade ago following his indictment for downloaded millions of JSTOR documents from MIT's network. Tomorrow, January 11, 2022, will be the ninth anniversary of his death. Squires appears to prefer a surreal conspiracy theory cited in a recent Twitter post.

The Register emailed Squires for comment. He replied, "brb soup," which at least is more than we typically get from Apple PR.

Squires perhaps better articulated his concerns through a blog post from April 25, 2021 – preserved via the Internet Archive's Wayback Machine – in which he described a purported attempt to monetize faker.js.

"No one pays for Faker development," Squires wrote. "Recently, we've begun to get sponsorships through services like Open Collective and Github Sponsors. Most of these donations are from fellow developers, and not enterprises or corporations. These donations have helped keep Faker development from stalling completely, but they are not sustainable.

"I do enjoy working on Faker, but I also can't afford to work for free. Like most of us, I have people who depend on me and I have bills to pay. Not wanting to give up, I decided the best course of action was to try and monetize the Faker project to ensure future sustainable development."

Trying to pay the rent

The plan, he claims, was to create a cloud service based on faker.js. However, he describes finding that another company was using his open source software to create an identical product. The Register has reached out to the company he named to ask about this, and we've not heard back.

In November, 2020, Squires said in a now-removed GitHub Issues post that he was "no longer going to support Fortune 500s (and other smaller sized companies) with my free work."

The incident recalls the "left-pad" debacle in 2016 when developer Azer Koçulu unpublished over 250 of his modules from npm.

Developers incorporate npm modules into their applications so they can add functionality without the need to personally implement the borrowed code. By doing so, they add dependencies – modules or libraries their apps depend upon to function – and so when those dependencies break, get subverted, or disappear, that causes problems in for many applications and people.

Faker.js is incorporated into more than 2,500 other npm packages and is downloaded 2.4 million times per week; colors.js is incorporated into almost 19,000 other npm packages and gets 23 million downloads a week.

Cloud money

Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?


Suffice to say that the developer community took notice of this disruption and once again wondered aloud what can be done to make the process of creating and maintaining open source projects more sustainable.

GitHub, which operates the npm registry these days, suspended Squires's account. In the meanwhile, his repos remain publicly accessible. The Register has asked GitHub to explain its rationale for doing so but we've not heard back. Npm also reverted the changes Squires made to at least one of his libraries.

In a blog post, Armin Ronacher, director of engineering at software monitoring firm Sentry and creator of Flask, the popular Python web app framework, took the incident as another sign that the open source community needs support. Efforts to help by funding certain projects, he said, don't always work because many foundation libraries get ignored because they're not as visible as other projects.

"Clearly we need to solve funding of open source projects and I love that GitHub sponsors is a thing," he wrote. "But I think we need to find a better way to assess [the] impact of libraries than just how many people depend on this on npm or other package managers. Because that's by far not the whole picture." ®

Updated to add

“GitHub is committed to ensuring the health and security of the npm registry," the organization told The Register.

"We removed the malicious packages and suspended the user account in accordance with npm’s acceptable use policy regarding malware, as outlined in our Open Source Terms. We also published a security advisory here.”

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022