Being 'used by many big companies', the developer manually broke the NPM colors.js and faker.js libraries

Initially, some people surmised that these two NPM libraries were hacked. But in the end the story is much more complicated than that.

It turned out that the developers of the above libraries created an infinite loop that caused thousands of projects that depended on colors and faker to hang, or render meaningless things.

The colors library is downloaded more than 20 million times per week and on npm alone, nearly 19,000 projects depend on it. Meanwhile, faker has 2.8 million downloads per week on npm and has over 2,500 dependent projects.

What is the root cause of this incident?

The developer behind the popular open-source libraries colors (aka colors.js on GitHub) and faker (aka faker.js on GitHub) has intentionally included in them bizarre commits. As a result, thousands of applications that depend on these libraries have been affected.

For example, Amazon's Cloud Development Kit (aws-cdk) displayed meaningless messages on the console. The message begins with three lines of LIBERTY LIBERTY LIBERTY followed by lines of non-ASCII characters. Liberty means freedom.

Why do developers manually sabotage the libraries they create? The most appropriate reason is to retaliate. The developers behind colors.js and faker.js are frustrated with the fact that large corporations and consumer businesses "use" free and community-provided software but do not support it. What support for the community.

In November 2020, developer Marak Squires - one of the people behind the colors.js project - shared that he will no longer support large corporations for free. Instead, Marak advises corporations to consider fork the project and get someone else to work on it or pay him a 6-figure salary a year (in USD).

Mixed feedback from the community

Some people support Mark's actions while others say it is irresponsible behavior.

"If you don't want others to use the temple, don't give it away for free. Your self-destruction of the library not only harms your business, but also affects anyone who uses it. It's irresponsible," said the expert with the nickname. InfoSec's VesOnSecurity shares.

Immediately after the controversy broke out, GitHub temporarily locked Marak's account. This also caused mixed reactions.

"Deleting your own code from (GitHub) also counts as a violation of GitHub's Terms of Service? WTF?" complained software engineer Sergio Gómez.

The case is still controversial and it is still unclear how things will be settled in the end. In the meantime, if you're using the colors and faker libraries for your projects, make sure not to use unsafe versions. Downgrading to older colors (e.g. 1.4.0) and faker versions (e.g. 5.5.3) can be a useful solution.

Kareem Winters

Update 10 January 2022