A disgruntled developer deliberately broke open source libraries. Colors.js and faker.js in the npm libraries were targeted by developer Marak Squires.
Faker.js generates fake data for demos while colors.js adds color to JavaScript consoles. On average, faker.js achieves 2.5 million weekly downloads, colors.js accounts for 22.4 million downloads per week. Obviously, the implications are very significant for projects that use one or both open source libraries.
Misguided developer Marak Squires, administrator of software registry npm, performed two file revisions on GitHub. The sabotaged versions provided an infinite number of letters and symbols as output, starting with the words “LIBERTY LIBERTY LIBERTY LIBERTY.
Extra special, according to Bleeping Computer, is that faker.js’s Readme file was modified with the words “What really happened with Aaron Swartz? The prominent developer who collaborated on Creative Commons, RSS and Reddit was found guilty in 2011 of stealing documents from the JSTOR academic database and then making them available for free. Swartz committed suicide in 2013.
Punished on GitHub
Two days after the corrupted faker.js update, Squires shared his displeasure on Twitter on Jan. 6 that he no longer had access to his GitHub account, including his hundreds of other projects. That same day, he regained access to his account and launched the corrupt colors.js version with the liberty text. It is unclear for now whether his account was suspended again after that.
Squires has long been spouting his displeasure with free open source work that anyone can use. In late 2020, he posted an announcement on GitHub that he no longer wants to work for free for Fortune 500 companies (and other smaller enterprises). He challenged organizations to offer him an annual contract with six figures in pay.
Opensource never without danger
Fortunately, Squires has done nothing destructive and the consequences are at most annoying to other developers. It is also a sudden wake-up call for them to always pin versions down. Those who do so have not suffered from the above problems. On the other hand, we are not justifying Squires’ actions. If he really doesn’t want Fortune 500 companies to use his code, he should make his code available on GitHub under a different license, such as “free for non-commercial use only. Plenty of other “freemium” options exist.
A previous study found that of all commercial software programs, as many as 99% contain at least one open source component. Open source is everywhere and can be very powerful, but the above story also points to the risks. It only takes one misguided volunteer to bring numerous organizations and software tools to their knees. On the other hand, open source often offers higher quality than proprietary software and is more secure , according to Red Hat. Setting the right rules within organizations can certainly prevent a lot of problems.