Reporting by XinZhiyuan
EDIT: Sleepy
【New Zhiyuan Guide】The program suddenly garbled, and the developer urgently "repaired"! however......
These two days, some developers feel a little confused...
When I woke up, I found that all the "garbled code" that ran out of my program was "garbled".
What these developers have in common is that they all use the open source libraries "colors" and "faker".
And these two libraries are quite popular!
On npm alone, the colors library is downloaded more than 20 million times a week, and nearly 19,000 projects are in use.
Faker is downloaded more than 2.8 million times a week on npm and is used by over 2500 projects.
Even Amazon's cloud development kit (aws-cdk) is used.
Initially, users suspected that the libraries "colors" and "faker" used by these projects had been compromised, similar to the case last year when the coa, rc, and ua-parser-js libraries were hijacked by malicious elements.
After seeing various feedback, the developers also quickly posted that they were already working hard to "fix".
But as it turns out, the story isn't that simple.
Lao Tzu, don't do it!
The incident began with the developer named Marak Squires.
Recently, Marak added v1.4.44-liberty-2 to colors (aka colors.js) and released version 6.6.6 of "faker" (aka faker.js on GitHub).
Friends who know a little about the West can easily notice that there is something wrong with this "666".
Looking around, I found that the pictures on the Internet are not very good...
In short, it is inextricably linked to "demons".
What Marak does is introduce an infinite loop bug that causes thousands of projects that rely on "color" and "faker" to crash outright.
This information includes the text "LIBERTY LIBERTY", followed by a large string of non-ASCII characters.
These characters are also known as "Zalgo text".
Of course, this is another very interesting story, interested friends can search for themselves.
However, time passed minute by minute, their own programs could not run, and the developers of the project did not submit solutions for a long time.
Developers have to start looking for solutions on their own.
It soon became apparent that the problem was solved by simply rolling back to the previous version 1.4.0.
It can be inferred that this bug is most likely from the latest submission of "v1.4.44-liberty-2".
By looking at the project's history, Marak added a "new American flag module" to the v1.4.44-liberty-2 version of the colors .js library and pushed it to GitHub and npm.
In the new code, there is an infinite loop that will cause all programs that use "colors" to endlessly print various sequences of non-ASCII characters on the console.
For "faker", Marak, in addition to blowing up his own program, also modified the README page of GitHub repo.
This time, Marak had a direct showdown: endgame.
Marak also mentions one person: Aaron Swartz. "What the hell happened to Aaron Swartz?"
Swartz was an American programmer, entrepreneur and prominent hacker activist who "committed suicide" after a legal proceeding.
To make information freely accessible to all, the hacker, who downloaded millions of journal articles from the JSTOR database on the MIT campus web, allegedly bypassed the technical blockade set by JSTOR and MIT by repeatedly rotating his IP and MAC address.
Previously, in November 2020, Marak warned that he would no longer use his "free jobs" to support large companies, which should consider compensating them with "six figures" of salary per year.
"With all due respect, I will no longer use my free work to support the Fortune 500 (and other smaller companies)."
"You can use this as an opportunity to give me a six-figure annual salary contract, or to make this project look for someone else."
As a result, the whole reason for the incident became clear, and Marak seemed to be retaliating against the big businesses and developers who made money with open source projects.
He believes that these people not only use a lot of free software from the open source community, but also contribute to the community.
Dare to change your own project? Watch me block your account
For Marak's wave of fandom, some developers in the open source community expressed understanding, and the other part directly "spit out the fragrance".
"Apparently, the author of 'colors.js' is angry that he is not paid. So he decided to print the American flag every time he loaded his library...".
Well, that's kind of interesting! (doge)
Information security expert VessOnSecurity called such behavior "really irresponsible."
"If you have a problem with businesses using your free code for free, don't post free code. By disrupting your own project that is widely used by developers, you are hurting not only the big business, but all the people who are using it."
But others argue that "publishing code into their own libraries is not responsible for anything." If you disagree with me, then please read the actual legal provisions in the license, which do not give any guarantees. If it's irresponsible, so what, they don't need to be responsible."
And GitHub took a look, how can this Marak fool into his own project, block it!
NPM has reverted to the previous version of the faker .js package, and Github has suspended my access to all public and private projects. I have more than 100 projects.
Software engineer Sergio Gómez is very ununderget: "Is it a violation of their terms of service to delete their own code from GitHub? WTF? It's an act of kidnapping."
Log4j: To generate electricity with love, you have to carry the pot
Marak's "Delete Library Run" reminds us of the recent "Log4j Incident".
According to FireWire security statistics, on Github alone, there are 60,644 open source projects released 321094 packages are at risk, this vulnerability can be said to affect the normal operation of more than 70% of enterprise systems on the Internet.
Since Java applications typically log a wide variety of events, such as messages sent and received by users, or details of system errors, the vulnerability can be triggered in a number of ways.
Soon, the Log4shell vulnerability began to be exploited on a large scale.
As more and more problems were discovered, Log4j's developers had to turn on the holidays to patch the project.
Although there are already "sleepless rescues: repairs, documentation, CVE, reply to inquiries", however, there are still some bug bounty hunters chasing and blocking Log4j maintainers.
Log4j has also made more people pay attention to how large enterprises are "squeezing" open source.
A large number of websites, software, and applications rely on open source developers to create basic tools and components that they consume continuously without giving them enough in return.
And these developers who are "tirelessly" fixing security issues not only give up their leisure time, but also do not receive any financial support.
Netizens commented: "The reaction of color.js/faker .js authors to destroy their own packages also shows how many enterprise developers believe they are morally entitled to use the unpaid labor of open source developers without making any return."
For the future of open source code, we can probably only wait for time to tell us.
Resources:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/