Open source developer corrupts his own files, impacting millions

10 Jan 2022

Image: © wavemovies/Stock.adobe.com

Marak Squires had previously posted on GitHub that he no longer wanted to support Fortune 500 companies with free work.

A GitHub developer has reportedly corrupted two important open source files he created with an update that triggers infinite loops, impacting millions of users who access the libraries for software development.

Marak Squires developed the two libraries, colors.js and faker.js, to add colours to Node.js consoles and generate fake data for demos. According to the Node.js package manager website NPM, colors.js has more than 23m weekly downloads while faker.js has nearly 2.5m.

First reported by Bleeping Computer, Squires intentionally introduced an infinite loop that ‘bricked’ thousands of projects that depend on the two libraries. This led to users, including those working with Amazon’s Cloud Development Kit, to report the bug to GitHub thinking they were compromised.

Squires added a ‘new American flag module’ to the latest version of colors.js and then posted it on GitHub and NPM, triggering three lines of the words “liberty liberty liberty” followed by incomprehensible characters in a loop. Faker.js was similarly sabotaged with the publishing of version 6.6.6.

According to The Verge, colors.js seems to have been updated to work, while faker.js may still be affected. Users of faker.js can resolve the issue by downgrading the update to a previous version of the file, v5.5.3.

Days after posting the updates, Squires took to Twitter to complain that his account had been suspended by GitHub.

While not stated explicitly, the motivation behind Squires’ actions could date back to November 2020 when, according to a GitHub post found by Bleeping Computer, he wrote that he no longer intended to support Fortune 500 and other companies with his free work.

“There isn’t much else to say. Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it,” he wrote.

Squires’ actions have once again raised the issue of unpaid open source work that often plays an important role in the software infrastructure that is monetised by major companies.

Filippo Valsorda, a member of the Google Go team and an open source developer, argued in a blog post last year that companies should pay open source developers: “Open source software runs the internet, and by extension the economy. This is an undisputed fact about reality in 2021.”

Last month, some of the world’s major tech companies, including Microsoft, Apple and Amazon, were affected by a cybersecurity threat dubbed Log4Shell. This stemmed from a Java-based logging utility that could potentially give a hacker unrestricted access to a company’s computer system.

Apache Log4j is an open source library that is used extensively in many Java applications. After the Log4Shell vulnerability was found, unpaid developers were left trying to fix a growing number of security issues in the project over the holiday period amid complaints from users.

Kayla Underkoffler, senior security technologist at HackerOne, said last month that projects such as the Internet Bug Bounty help organisations of all sizes deal with cyberattacks such as Log4Shell by pooling funding to incentivise research into open source vulnerabilities.

“Most organisations lack direct control over open source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is an imperative for any organisation that relies on it,” she warned.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain is a journalist with Silicon Republic

editorial@siliconrepublic.com