A GitHub developer has reportedly corrupted two important open source files he created with an update that triggers infinite loops, impacting millions of users who access the libraries for software development.
Marak Squires developed the two libraries, colors.js and faker.js, to add colours to Node.js consoles and generate fake data for demos. According to the Node.js package manager website NPM, colors.js has more than 23m weekly downloads while faker.js has nearly 2.5m.
First reported by Bleeping Computer, Squires intentionally introduced an infinite loop that ‘bricked’ thousands of projects that depend on the two libraries. This led to users, including those working with Amazon’s Cloud Development Kit, to report the bug to GitHub thinking they were compromised.
Squires added a ‘new American flag module’ to the latest version of colors.js and then posted it on GitHub and NPM, triggering three lines of the words “liberty liberty liberty” followed by incomprehensible characters in a loop. Faker.js was similarly sabotaged with the publishing of version 6.6.6.
According to The Verge, colors.js seems to have been updated to work, while faker.js may still be affected. Users of faker.js can resolve the issue by downgrading the update to a previous version of the file, v5.5.3.
Days after posting the updates, Squires took to Twitter to complain that his account had been suspended by GitHub.
NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz pic.twitter.com/zFddwn631S
— marak (@marak) January 6, 2022
While not stated explicitly, the motivation behind Squires’ actions could date back to November 2020 when, according to a GitHub post found by Bleeping Computer, he wrote that he no longer intended to support Fortune 500 and other companies with his free work.
“There isn’t much else to say. Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it,” he wrote.
Squires’ actions have once again raised the issue of unpaid open source work that often plays an important role in the software infrastructure that is monetised by major companies.
Filippo Valsorda, a member of the Google Go team and an open source developer, argued in a blog post last year that companies should pay open source developers: “Open source software runs the internet, and by extension the economy. This is an undisputed fact about reality in 2021.”
Last month, some of the world’s major tech companies, including Microsoft, Apple and Amazon, were affected by a cybersecurity threat dubbed Log4Shell. This stemmed from a Java-based logging utility that could potentially give a hacker unrestricted access to a company’s computer system.
Governments across the world, including the US and Ireland, rushed to advise organisations with web servers to take immediate steps before hackers get there first. “There is no evidence of any successful exploitation of this vulnerability in the State,” the National Cyber Security Centre said.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
The post Open source developer corrupts his own files, impacting millions appeared first on Silicon Republic.