Compile the | Nuclear Coke, Tina
The Dark Side of Open Source: What the Hell Happened to faker .js?
Users of the popular open source packages "colors" and "faker" have just recently suffered an accident in which unproven destruction causes applications to start outputing incomprehensible garbled data after using these packages. The reason behind this is that Marak Squires, the author of the open source package, deliberately introduced an infinite loop that left thousands of applications that rely on "colors" and "faker" packages out of control.
Colors.js is a JavaScript library for working with colors, while faker .js is a JavaScript library for generating fake data. Fake data is useful when building and testing applications, and faker .js can generate fake data for various fields, including addresses, businesses, companies, dates, finances, images, or names.
These two packages are particularly popular with developers, with the colors package alone having more than 20 million weekly downloads on npm and nearly 19,000 projects that depend on it. In addition, faker is downloaded more than 2.8 million times a week on npm, and there are more than 2500 related projects, and faker is as popular as Vue. Because these open source software are particularly widely used, the impact of this event is also particularly far-reaching.
Open source revolution, or open source riot?
The developers behind these two popular open-source npm packages, "colors" (called colors .js on GitHub) and "faker" (called faker on GitHub.js), deliberately introduced bugs into their code, and commits further affected the thousands of applications that depended on them.
Just yesterday, users of open source projects such as the Amazon Cloud Development Kit (aws-cdk) suddenly found that their applications began to frantically output garbled messages on the console.
These messages contain a large number of words "LIBERTY LIBERTY" (liberty), followed by a large number of non-ASCII characters:
Users are shocked by the spam data poured out of the "faker" and "colors" projects (GitHub)
Initially, users suspected that the "colors" and "faker" packages used by these projects had been maliciously compromised, similar to the situation in which packages such as coa, rc, and ua-parser-js were hijacked by attackers last year. But it turns out that what messes colors and faker is actually the error code deliberately submitted by the legitimate developer.
Developer Marak Squires added a "new American Flag Module" to the v1.4.44-liberty-2 version of the colors .js package, which was subsequently pushed to GitHub and npm.
colors.js Prank submission by "Marak" (GitHub)
The infinite loop introduced in the new code runs endlessly, and any application that uses "colors" endlessly outputs garbled code consisting of sequences of non-ASCII characters on the console.
Similarly, faker's prank version "6.6.6" was released on GitHub and npm. The developer also said sarcastically, "We noticed a Zalgo bug in the v1.4.44-liberty-2 version of colors. "We are working on this issue, please wait for the release of the solution." Zalgo text refers to non-ASCII characters caused by some failure.
The developer's move appears to be deliberately retaliating against large corporations and other users who have long relied on free and community-backed software but never give back to the community and other users who have used open source projects to commercialize.
In November 2020, Marak had already warned that he would no longer "work for free" to support the business giants, stressing that there were only two paths ahead for these business entities: either choose to fork the project or compensate open source developers with "six figures" per year.
The developer has previously written, "Guys, I'm not going to use my pro bono work to support Fortune 500 (and other smaller companies). That's it. "So now there are only two options, either to send me a contract with a six-figure annual salary, or to fork the project and find someone else to take over."
Interestingly, we found that the "faker" project's README page (https://github.com/marak/Faker.js/) on GitHub repo was also changed by Marak, which appeared "What happened to Aaron Swartz?" " of the words.
Swartz is a distinguished developer who helped build Creative Commons, RSS, and Reddit. His contributions have had a profound impact on almost all web developers. In 2013, at the age of 26, Swartz committed suicide in a legal dispute.
To make the information free for all, the hacker downloaded millions of journal articles from the JSTOR database, MIT's campus network. His approach, allegedly, was to repeatedly rotate his IP and MAC addresses to bypass the technical masking scheme set by the school and JSTOR. But the move also led Swartz to face charges of violating the Computer Fraud and Abuse Act, which could result in a maximum sentence of 35 years in prison if convicted.
The incident caused an uproar
Marak's bold move immediately caused an uproar, and people from all walks of life spoke out about the matter.
Some members of the open source software community praised the developer's bravery, but others expressed shock at his aggressive moves. One user tweeted, "It's clear that the authors of colors .js are going crazy because they don't get paid... So he decided to output an American flag whenever a user loaded his package... What brain circuit is this? ”
Some people also feel that this is "another rogue case caused by open source developers", and information security vendor VessOnSecurity has publicly accused the move of being "irresponsible" and stressed: "If you don't want someone to organize business with free code, then don't publish this kind of code?" This indiscriminate strike hurts not only large corporations, but every user who uses open source code. Such practices will only dampen users' enthusiasm for version updates, making them worry about each upgrade. ”
According to relevant reports, GitHub has frozen the developer's account, and the crowd is also talking about it:
NPM has rolled back the faker.js package to a previous version, and GitHub has suspended my access to all public and private projects. That's hundreds of projects, and now they can't access it. #AaronSwartz --@marak
Software engineer Sergio Gómez responded, "Deleting your own code also violates GitHub's terms of service?" This is naked kidnapping! We'd better be prepared to decentralize the hosting of software source code. ”
Another user tweeted, "I don't know exactly what's going on, but all of my own projects are hosted on private instances of GitLab to avoid a similar situation." Never trust any Internet service provider. ”
A developer named Piero noted, "Marak messed up faker and colors, affected countless projects, and hoped he wouldn't be implicated in the slightest?" ”
It is a reminder that Marak's excesses occurred not long after the recent log4j breach. As a heavyweight open source library, Log4j is widely used in a variety of Java applications developed by different enterprises and business entities. The exposure of the Log4shell vulnerability has triggered more and more CVE, and many open source maintainers have to help fix these free projects during their vacations.
As a result, the open source industry began to widely worry that large companies were accustomed to "squeezing" open source results and constantly consuming them, but did not give enough returns to support these contributors who volunteered to give up their free time to maintain critical projects. In the face of accusations from netizens and bug bounty hunters, some have angrily responded, stressing that Log4j maintainers "have been working around the clock to build mitigations, including fixing, documenting, submitting CVE, and responding to queries." ”
One user wrote in a tweet, "The response to the colors .js/faker.js the author's destruction of their own software packages just shows that many enterprise developers believe that they are morally entitled to enjoy the fruits of open source developers' labor for free without any return." "While the free and open source software movement and its goals are commendable, it ended up disillusioning and impoverishing many very talented people because open source is not actually a viable business model."
As for whether the open source software ecosystem can survive for a long time, I am afraid that only time can give the answer.
At the same time, it is important to remind users of the colors and faker npm projects to use a secure version of the package. A more prudent approach is to downgrade to the previous version of colors (e.g. 1.4.0) and faker (e.g. 5.5.3).
Reference Links:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/