Malicious person! Projects with 34,000 stars will be deleted at any time, and tens of thousands of open source projects will be destroyed by a few lines of code

Open source is not much, halogen eggs have words.

Hello everyone, I’m From HelloGitHub. Recently, there was a “popular open source project author deleted the project, submitted malicious code”, which caused a large number of open source fans to discuss.

Knowing how hard it is to maintain an open source project, I wondered why he was willing to delete it.

Doesn’t it look like Chinese New Year is coming? I am not interested in the work of “follow the steps” to this matter, interested partners can take a look at the ins and outs of this matter.

background

Here are two node.js open source projects that are at the center of the controversy:

1, faker. Js

Node.js library for generating a lot of fake data. It can be used to automatically create rich, reasonable and diverse test data, including name, date, profile picture, address, etc. Since the project had been deleted by the author, I found a mirror image of the previous project’s homepage, which was created seven years ago and had 34,000 stars and 266 contributors.

New address: github.com/Marak/faker…

2, colors. Js

The library for displaying colored text in the Node.js console was created seven years ago with 4.5 thousand stars and 44 contributors.

Address: github.com/Marak/color…

Although they provide relatively simple functions, they are convenient for solving problems in certain scenarios and have a loose open source (MIT) license, so they reach a wide audience. Before taking a look at their popularity, I’d like to take a quick look at the open source tool library, distribution to the package management platform, and the process of using it.

Normally we use them through NPM (package manager), so I got the data from NPM:

To be honest I was shocked when I saw the data! “Faker.js” and “colors.js” may not seem like much, but statistically speaking, they are used by nearly ten million developers around the world. Together, there are millions of downloads per day, and a total of 20,000 projects rely on them!

Such a popular project by a GitHub user named “Marak” :

Why would Marak delete an open source project he maintained for years, and then add malicious code to a project used by millions of people?

after

It all started with an issue posted by Marak in November 2020:

Big companies are using my open source project for free. No one is paying for my efforts. I don’t want to work anymore.

I say “ridicule” because the project was deleted a year later. So I guess he didn’t really want to delete it, but he decided that he didn’t want to maintain open source projects for free for big companies. He wanted to make a living from maintaining open source projects. Since then Marak has tried to commercialize open source projects, but things have not improved.

Half a year later, in April 2021, Marak published an article titled Monetizing open-source is taken to be problematic in his blog, describing the attempts and frustrations of Faker.js on the road to commercialization during this period.

It reads:

Still, no company is paying for Faker, only sporadic individual developer sponsorship
He developed a paid cloud service based on Faker, but did not make money
A startup copied his service and offered a similar service for free
Marak spoke to the COMPANY’s CEO without success

All this renewed his determination to delete the project, and Marak deleted the source code for the faker.js project on January 5, 2022.

Things didn’t end with the elimination of the project, but something bigger happened. Then on January 7, he received a notification that GitHub had banned him.

It didn’t take long for GitHub to be unblocked, but the combination of these things (not making money, being copied, being banned) so infuriated Marak that he began to fight back and speak out for freedom in his own way.

The next day, January 8, 2022, he injected a loop of malicious code into his broader colors.js project, printing garbled code and naming it v1.4.44-Liberty-2, and released it to the NPM platform.

Node.js library crashes, garbled characters, etc.

This issue has been fixed by NPM and another colors.js maintainer, but project author Marak has not addressed the issue or explained the reasons for doing so.

That’s the story so far, and the online reaction is divided into three camps:

His own code, he calls the shots.
(neutral) sympathy.
(Objection) If you have something to say, don’t fool around. Inconsiderate, irresponsible, immoral.

Egg said just as well

It started with money and ended with freedom.

Personally, I don’t see any problem with him deleting projects. What’s wrong with deleting your own code? In my opinion, the malicious code submitted later is just a programmer’s prank. This part of the code does no real harm but is easy to be startled. He also gave me a vivid security lesson: pay attention to the version number of the library, and using the latest version is risky.

I admire him for having the courage to speak out in this way. He’s a ruthless man!

What do you think of that? The egg says no harm.

Malicious person! Projects with 34,000 stars will be deleted at any time, and tens of thousands of open source projects will be destroyed by a few lines of code

background

1, faker. Js

2, colors. Js

after

Egg said just as well

Related Posts

Those who you may not know netease cloud music strange technology lewd qiao

What is low code? What are the special functions and advantages of low code development for the enterprise?

Set up advanced code auto-completion like PyCharm for the Jupyter Notebook