Updated Two popular open-source packages were recently sabotaged with mischievous commits, creating confusion among those using the software and exacerbating concerns about the fragility of the open-source software supply chain.
The npm packages, faker.js and colors.js, were not hijacked by outsiders, as has been known to happen; rather their creator added code to the software libraries that made them malfunction.
Three days ago, developer Marak Squires added a "new American flag module" to colors.js, a module to simplify printing colored text in the developer console. The new code printed the word "LIBERTY" multiple times and an ASCII-flag to the developer console and went into an endless loop.
Six days ago, faker.js, used for generating fake data for API testing, also received an unexpected update: it removed the code, added the commit message "endgame," and replaced the ReadMe file with the question, "What really happened with Aaron Swartz?"
Swartz, something of an internet legend for his advocacy and tragedy, killed himself almost a decade ago following his indictment for downloaded millions of JSTOR documents from MIT's network. Tomorrow, January 11, 2022, will be the ninth anniversary of his death. Squires appears to prefer a surreal conspiracy theory cited in a recent Twitter post.
The Register emailed Squires for comment. He replied, "brb soup," which at least is more than we typically get from Apple PR.
- The inside story of ransomware repeatedly masquerading as a popular JS library for Roblox gamers
- NPM packages disguised as Roblox API code caught carrying ransomware
- If you're using this hijacked NPM library anywhere in your software stack, read this
Squires perhaps better articulated his concerns through a blog post from April 25, 2021 – preserved via the Internet Archive's Wayback Machine – in which he described a purported attempt to monetize faker.js.
"No one pays for Faker development," Squires wrote. "Recently, we've begun to get sponsorships through services like Open Collective and Github Sponsors. Most of these donations are from fellow developers, and not enterprises or corporations. These donations have helped keep Faker development from stalling completely, but they are not sustainable.
"I do enjoy working on Faker, but I also can't afford to work for free. Like most of us, I have people who depend on me and I have bills to pay. Not wanting to give up, I decided the best course of action was to try and monetize the Faker project to ensure future sustainable development."
Trying to pay the rent
The plan, he claims, was to create a cloud service based on faker.js. However, he describes finding that another company was using his open source software to create an identical product. The Register has reached out to the company he named to ask about this, and we've not heard back.
In November, 2020, Squires said in a now-removed GitHub Issues post that he was "no longer going to support Fortune 500s (and other smaller sized companies) with my free work."
The incident recalls the "left-pad" debacle in 2016 when developer Azer Koçulu unpublished over 250 of his modules from npm.
Developers incorporate npm modules into their applications so they can add functionality without the need to personally implement the borrowed code. By doing so, they add dependencies – modules or libraries their apps depend upon to function – and so when those dependencies break, get subverted, or disappear, that causes problems in for many applications and people.
Faker.js is incorporated into more than 2,500 other npm packages and is downloaded 2.4 million times per week; colors.js is incorporated into almost 19,000 other npm packages and gets 23 million downloads a week.
Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?READ MORE
Suffice to say that the developer community took notice of this disruption and once again wondered aloud what can be done to make the process of creating and maintaining open source projects more sustainable.
GitHub, which operates the npm registry these days, suspended Squires's account. In the meanwhile, his repos remain publicly accessible. The Register has asked GitHub to explain its rationale for doing so but we've not heard back. Npm also reverted the changes Squires made to at least one of his libraries.
In a blog post, Armin Ronacher, director of engineering at software monitoring firm Sentry and creator of Flask, the popular Python web app framework, took the incident as another sign that the open source community needs support. Efforts to help by funding certain projects, he said, don't always work because many foundation libraries get ignored because they're not as visible as other projects.
"Clearly we need to solve funding of open source projects and I love that GitHub sponsors is a thing," he wrote. "But I think we need to find a better way to assess [the] impact of libraries than just how many people depend on this on npm or other package managers. Because that's by far not the whole picture." ®
Updated to add
“GitHub is committed to ensuring the health and security of the npm registry," the organization told The Register.
"We removed the malicious packages and suspended the user account in accordance with npm’s acceptable use policy regarding malware, as outlined in our Open Source Terms. We also published a security advisory here.”