Hot Monday for many developers. The author of the very popular Open Source libraries intentionally introduced a serious error and published it. Hundreds of thousands of dependent projects have been affected, and we are wondering if this is just another interesting story or a beacon for the industry?
–
People of drama – colors and faker – this NPM packages used in applications run in the Node.js environment, i.e. for example in the service dobreprogramy. library colors allows to color the text printed in the console and is often used by the developers themselves in the process of debugging or monitoring the application. It is extremely popular, with 23 million downloads per week. Package faker and it enables the generation of random, untrue data (e.g. names, e-mail addresses) in order to test the application. It’s “a little” less popular – just 2.5 million downloads each week.
–
In Poland, it is a long weekend shortly after the New Year, and some around the world are busy publishing new versions of their libraries. Among them, Marak Squires, author of colors and faker, among others. Programmers whose projects use at least one of these two dependencies were surely very surprised when they came to work on Monday. For example, the new faker practically stopped working, and after updating colors fell into an infinite loop and printed on the screen the words “LIBERTY LIBERTY LIBERTY” and tons of random characters. Thus, it led to the suspension of the application.
–
One GitHub user showed how the “updated” version of colors works.
Community on track
Initially, it was suspected that the library had fallen victim to the attack. This has been the case before with NPM packages – in October 2021 the ua-parser-js package (8 million downloads per week) was injected malicious codethat managed to be published as a new version of the library and other programmers started downloading it en masse. A few days later similar fate met rc library (12 million) and coa (8 million). However, it quickly turned out that the reason is different here …
–
–
As in the case of Open Source libraries, the colors and faker code were on GitHub and published from there. It took only a moment to see that the above-mentioned infinite loop, as well as a few other surprises, was left by no other, but the author of the libraries himself. Right commit was tracked quickly, moreover, there is a considerable discussion going on there, similar to Reddit. As pathetic as it sounds, everyone is wondering – why exactly did Marak do what he did to the world and how far can he go?
–
Given sarcastic statements of the author and unearthed by Bleeping Computer statement from November 2020, where Marak announces “the end of work for free”, you can guess the reasons. The fact is, these millions of downloads don’t come from nowhere. Programmers from the smallest and largest companies in the world use thousands of libraries for free, including Marak’s works, in their daily work, i.e. in building other applications, often very complex, of critical importance, for the creation of which they take considerable money.
–
However, two common-sense conclusions immediately come to mind. First of all, by publishing the code under the very liberal MIT license on GitHub, Marak agreed to the fact that it would be downloaded for free and used commercially. After all, this is how the Open Source community works. Second, if he did not want to continue working on the project, no one forced him to do so – he could just finish supporting it, or he could hand over the reins to someone else in the community. However, Marak decided that after him, even a flood and everyone has to find out about it “hard”.
–
Interestingly, GitHub in the meantime – on January 6, that is, after the first faker package was damaged – suspended Marak’s account on the grounds of “violating the rules of using the website”, but it was probably quite a weak basis, because the decision was quickly reversed. After all, it was the author himself who introduced changes to his own project, and that it was accidentally used by millions of programmers around the world … Perhaps it was this ban that irritated Marak so much that he decided to play on the nose similarly to users of the much more popular colors package.
–
What’s next? NPM reverted packages to previous working versions. However, we would suggest programmers using both libraries to look for alternatives, and to Marak, a couple of deep breaths. After this “happening”, will someone hire him and actually pay for his work? Companies often appreciate the selfless contribution of programmers to the world of Open Source, but here … “good luck”.
–
–
Apart from this particular case, it is worth being prepared for the fact that similar situations will repeat themselves, not only in the world of programmers. Network administrators may remember the case of Supronet from 2009, where a simple mistake of one person in the BGP protocol configuration and entering a parameter in the wrong window caused massive internet failures in a large part of the world for nearly an hour.
–
Time for a moment of reflection
In light of this weekend’s devastation, as well as the attacks of last year or the aforementioned administrator mistake from years ago, the same question still and remains valid. Do we by any chance in the Internet do not trust ourselves too much, relying too much on the good intentions of others?
–
You need a driving license to drive a car, and only a keyboard to create web applications, manage network infrastructure or even share libraries such as colors. Users, programmers, administrators – we all take our word for it in the skills of people who co-create or manage the Internet. However, we do not have the capacity or often the competence to verify them. At the same time, we want the Internet to be free and independent of pressures, politics, or someone’s particular interest.
–
We are also counting on the strength of an anonymous “community”, which can and does have the ability to heal itself, with time strives to a state of equilibrium, but as you can see it is very susceptible to mistakes or ordinary human malice. On the other hand, it was these communities that built the foundations of today’s Internet.
—
