The dark side of Open Source: What happened to Faker.js? Why export the American flag?
Users of the popular open source packages “Colors” and “Faker” were recently hit by an unexpected corruption that caused applications to output incomprehensible garbled data after using these packages. The reason behind this is that Marak Squires, the author of the open source package, has deliberately introduced an infinite loop in which thousands of applications that rely on the “Colors” and “Faker” packages are completely out of control.
Colors.js is a JavaScript library for manipulating colors, while faker.js is a JavaScript library for generating fake data. Fake data can be useful when building and testing applications, and faker.js can generate fake data for a variety of domains, including address, business, company, date, finance, image, or name.
Both packages are particularly popular with developers, with the Colors package alone having more than 20 million weekly downloads on NPM and nearly 19,000 projects relying on it. Faker also has more than 2.8 million downloads per week on NPM and more than 2,500 related projects, making faker’s popularity comparable to Vue’s. Because open source software is so widely used, the issue is particularly far-reaching.
Open Source Revolution, or Open Source Insurgency?
The developers behind the two popular open source NPM packages “colors” (colors.js on GitHub) and “faker” (faker.js on GitHub) deliberately introduced errors into their code, The corresponding commits further impact the thousands of applications that depend on these packages.
Just yesterday, users of open source projects such as Amazon Cloud Development Kit (AWS – CDK) suddenly found their applications churning out garbled messages on the console.
The messages contained a lot of “LIBERTY LIBERTY LIBERTY” followed by a bunch of non-ASCII characters:
GitHub shocked and appalled by the data dump from the faker and Colors projects
Initially, users suspected that the “Colors” and “Faker” packages used by these projects had been compromised, similar to last year when attackers hijacked coA, RC, and UA-Parser-JS packages. But it turns out that what got Colors and Faker into a mess was an error code intentionally submitted by a legitimate developer.
Developer Marak Squires added a “new American Flag module” to v1.4.44-Liberty-2 of the colors.js package. The change was then pushed to GitHub and NPM.
Colors.js hoax submitted by “Marak” (GitHub)
The infinite loop introduced in the new code runs endlessly, and any application that uses “colors” outputs an endless garble of non-ASCII character sequences on the console.
Also, faker’s prank version “6.6.6” was posted to GitHub and NPM. “We noticed a Zalgo bug in COLORS in V1.4.44-Liberty-2,” the developer added sarcastically. “We are working to resolve this issue, please wait for the release of the solution.” Zalgo text refers to non-ASCII characters caused by some malfunction.
The developer’s move appears to be a deliberate attempt to retaliate against large corporations and other users who have long relied on free and community-supported software without giving anything back to the community to monetize open source projects.
In November 2020, Marak warned that there would be no more “unpaid work” to support commercial giants, stressing that these business entities had only two options: they could either fork their projects or compensate open source developers with “six-figure” annual salaries.
The developer previously wrote, “Guys, I will no longer support Fortune 500 (and other small companies) with my unpaid work. That’s all.” “So there were only two options: either you could offer me a six-figure contract, or you could branch off and find someone else.”
Interestingly, we found the README page of the “Faker” project on the GitHub repo (github.com/marak/Faker… Marak changed it to include the question “What happened to Aaron Swartz?” The words.
Swartz is a brilliant developer who helped build Creative Commons, RSS, and Reddit. His contributions have had a profound impact on almost all Web developers. Swartz committed suicide in 2013 at the age of 26 during a legal dispute.
To make the information freely accessible to all, the hacktivists downloaded millions of journal articles from the JSTOR database, the Massachusetts Institute of Technology’s campus network. He allegedly did so by rotating his IP and MAC addresses repeatedly to circumvent technical blocking schemes put in place by the university and JSTOR. But Swartz faces charges under the Computer Fraud and Abuse Act, which carries a possible sentence of up to 35 years in prison.
The incident caused a great uproar
Marak’s bold move immediately sparked a storm of voices from all walks of life.
Some members of the open source software community praised the developer’s bravery, while others expressed shock at his extreme behavior. One user tweeted, “Clearly the colors.js authors are freaking out because they can’t get paid… So he decided to output an American flag every time a user loaded his package… What kind of brain circuitry is that?”
“If you don’t want people to use free code to organize their business, why don’t you just not release it? This indiscriminate attack hurts not only big businesses, but everyone who uses open source code. “This kind of behavior will only discourage users from updating and make them nervous every time they upgrade.”
According to reports, GitHub has suspended the developer’s account, and the public is buzzing about it:
NPM has rolled back the faker.js package to its previous version, and GitHub has suspended my access to all public and private projects. That’s a hundred projects, and I can’t access them anymore. #AaronSwartz –@marak
Sergio Gomez, a software engineer, responded, “Is deleting my own code a violation of GitHub’s terms of service? This is naked kidnapping! We’d better be prepared to decentralize the hosting of software source code.”
Another user also tweeted, “Not sure what the hell is going on, but I host all my own projects on private instances of GitLab so I don’t run into a similar situation. Never trust any Internet service provider.”
A developer named Piero pointed out, “Marak messed up Faker and Colors, affecting countless projects, and how can you expect to get away with it?”
It should be noted that Marak’s aggressive behavior comes on the heels of a recent high-profile Log4j bug. As a heavyweight open source library, Log4j is widely used in a wide variety of Java applications developed by different enterprises and commercial entities. The exposure of the Log4shell bug caused more and more Cves, and many open source maintainers had to help fix these free projects for free during their vacation.
There is widespread concern in the open source community that large enterprises have become accustomed to “squeezing” open source and consuming it, but are not rewarding enough to support contributors who volunteer to give up their free time to maintain key projects. In response to the criticism from netizens and Bug bounty hunters, others responded angrily, noting that Log4j’s maintainers “have been working around the clock to build mitigation solutions, including fixes, documentation, CVE submissions, and responses to queries.”
One user tweeted, “The response to the authors of cols.js /faker.js destroying their own software packages just goes to show that many corporate developers feel they have the moral right to enjoy the work of open source developers for free without giving anything in return.” “While the free and open source movement and its goals are laudable, it has ultimately left many very talented people disillusioned and impoverished because open source is not actually a viable business model.”
As for the sustainability of the open source ecosystem, only time will tell.
In the meantime, both colors and FAker NPM project users are reminded to use secure package versions. It is safer to downgrade colors (e.g. 1.4.0) and FAker (e.g. 5.5.3) from the previous version
Article Reference link