Open source developer corrupts widely-used libraries, affecting tons of projects

Alex Castro illustrated thechorus image.

Thousands of users depend on a pair of open-source libraries that were corrupted by a developer, rendering any project that contains them useless, as reported by Bleeping Computer. The faker.js issue can be worked around by downgrading to a previous version, even though it looks like color.js has been updated to a working version.

The applications are affected by the sabotaged versions.

The developer of these two libraries, Marak Squires, introduced a file revision to colors.js that adds a new American flag module, as well as rolled out version 6.6.6 of faker.js. The sabotaged versions cause applications to output strange letters and symbols, beginning with three lines of text.

The faker.js Readme file has been changed to say what really happened with the activist. Creative Commons, RSS, and Reddit were established by a prominent developer named Swartz. In the year of 2011, he was charged for stealing documents from the academic database, and later committed suicide, because he wanted them to be free to access. The mention of Swartz could refer to conspiracy theories.

A number of users, including some working with Amazon's Cloud Development Kit, turned to the bug tracking system to voice their concerns about the issue. The effects of the corruption are likely far-reaching since faker.js and color.js both get over 2 million downloads per week. faker.js and color.js add colors to jаvascript consoles.

Thezalgo issue refers to the glitchy text that the corrupt files produce. The zalgo bug in the v1.4.44-liberty-2 release of colors has come to our attention. We are working to fix the situation and will have a solution soon.

After pushing a corrupt update to faker.js, Squires sent out a statement on his suspension from the site. It looks like his suspension has been lifted, judging by the changelog on faker.js and colors.js. The faker.js commit was introduced on January 4th, and theliberty version of colors.js was not introduced until January 7th. It is not clear if the account has been banned again. The Verge reached out to GitHub with a request for comment but didn't hear back.

There is more to the story, though. Bleeping Computer dug up a post from November 2020, in which he said he no longer wanted to do free work. He says he will no longer support Fortune 500s and other smaller companies with his free work. This is an opportunity to fork the project and have someone else work on it, or send me a six figure yearly contract.

The moral and financial dilemma of open-source development was likely the goal of the actions of Squires. A lot of websites, software, and apps rely on open-source developers to create essential tools and components. It is the same issue that causes developers to work hard to fix security issues in their open-source software, like the Heartbleed scare that affected OpenSSL and the more recent Log4Shell vulnerability found in log4j that left volunteers scrambling to fix.