A developer corrupted Npm and Github libraries after he introduced unneeded file revisions on them. According to the report, “color.js.” and “faker.js.” have been corrupted.
At the moment, the latest version was still undergoing some modifications while the former version was reverted to its “working” version. However, a cybersecurity publication wrote that it could be solved by going back to the 5.5.3 version.
A developer named Marak Squires added a file revision on the open-source library. The malignant commit with the new American flag module and faker.js version 6.6.6 appeared to have hit the Npm libraries.
The tech site noted that once these versions are installed, there would be an infinite loop for the apps. Strange symbols will appear on the project which shows the “LIBERTY LIBERTY LIBERTY” texts.
Similarly, the case involved the alteration of the faker.js Readme file. It was discovered that its current name was changed to “What really happened with Aaron Swartz?”
The mentioned name in the file was a developer who became well-known for his contributions to several communities such as Reddit, RSS, and Creative Commons.
However, he was found out to be the wrongdoer behind stolen documents from the academic database. He made these sources available for free public access. Two years later, he committed suicide and since then, some theories and rumors surfaced upon his death.
What Marak did to GitHub was something scary. Since many rely on faker.js and color.js for their projects, the corrupted libraries cost them a lot of resources.
Amid the issue, Squires wrote an update on the open-source library to immediately respond. According to the developer, the previous faker.js package on NPM reverted to its old version. His GitHub account was suspended, per his tweet last week.
— marak 🗿 (@marak) January 6, 2022
On Jan. 5, he injected the faker.js commit to Npm libraries, and two days later (Jan. 6), he was slapped with a ban. The suspension lasted until Jan. 7. At the time of writing, there was no mention if his account faced another ban anew.
Dating back to November 2020, Bleeping Computer spotted some important posts from Squires. According to the tech site, the developer said that he would no longer do “free work.”
“Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”
The Verge wrote in its report that the issue covering Squires could be one of many problems that developers face every day. The problem arises from their “free” service at the cost of being unpaid and endless bug fixing on the open-source platforms.