Open Source Developer Corrupts Popular Libraries Impacting Large Number of Projects

0
811

According to Bleeping Computer, a developer appears to have purposely damaged two open source libraries on GitHub and the software registry npm “faker.js” and “colors.js” that thousands of users rely on, rendering any project that includes these libraries worthless. While it appears that color.js has been upgraded to a functioning version, faker.js appears to be still be affected; however, the problem can be resolved by reverting to an earlier version (5.5.3).

A developer appears to have purposefully broken two open source libraries on GitHub as well as the software registry npm “faker.js” and “colors.js” that thousands of users rely on, according to Bleeping Computer, leaving any project that incorporates these libraries useless. While color.js looks to have been upgraded to a working version, faker.js appears to be still be affected; however, the issue can be rectified by reverting to a previous version (5.5.3).

Even worse, the readme file for faker.js has been modified to “What really happened with Aaron Swartz?” Swartz was a well known programmer who contributed to the creation of Creative Commons, RSS, and Reddit. Swartz was charged in 2011 with stealing documents from the academic database JSTOR in order to make them freely available, and he later committed suicide in 2013. The mention of Swartz by Squires could be a reference to the conspiracy theories surrounding his death.

According to Bleeping Computer, a number of users, including those using Amazon’s Cloud Development Kit, took to GitHub’s bug tracking system to express their concerns about the problem. Because faker.js receives almost 2.5 million monthly downloads on npm and color.js receives roughly 22.4 million weekly downloads, the corruption’s consequences are expected to be widespread. Color.js provides colours to javascript consoles, while faker.js generates fake data for demos.

Squires responded by posting an update on GitHub to solve the “zalgo issue,” which refers to the glitchy text produced by the faulty files. “It’s come to our attention that the v1.4.44-liberty-2 release of colours contains a zalgo problem,” Squires says, probably sarcastically. “Please know that we are working to resolve the matter right now and will have a resolution soon.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here