The bizarre case of the author who corrupted his own npm packages – colors.js and faker.js.
Originally reported by Bleeping Computer on Jan 9th the author of npm packages colors.js and faker.js, Marak Squires, has intentionally committed corrupt versions of each to his public GitHub repositories that trigger infinite loops causing a denial of service. These packages have affected an unknown number of users. The weekly download of colors.js (27 million with 19k dependent packages) and faker.js (3 million with 2500 dependent packages) makes this a wide spread issue across the industry.
82% of audit service customers from Revenera in 2021 contained Node Module Packages. Of those, 94% use colors.js while faker.js ranks at 67%.
At first the effects may be seemingly innocuous because of the project’s use cases. colors.js changes the color and style of text while faker.js creates fake data.
Seems simple right? But this is exactly why we love them: simple, small, and affordable (free) open source software. But one line of corrupt code can send your whole product askew.
Keep in mind, node modules can be vastly distributed across a single platform, affecting many products, and will determine the viability of various dependency packages related to its usage. One corrupted node module with a denial of service attack can possibly cause issues with many areas of your product.
Motivation and Public Sentiment
Squires’ motivations were explained on his personal blog from April 2021, “Monetizing Open-source is problematic” as well as on the faker.js repo, “No more free work from Marak – Pay Me or Fork This” and the reaction from the open source community has been varied.
While there are a group of people supporting Marak, given he is in fact the rightful owner and can do what he wants with his code, others are contending that it is an irresponsible response to what arose over one organization profiting off his work without him benefiting.
While his frustrations are understood, the solution to such issues as non-payment have more reasonable solutions then sabotaging your own code. For example, it’s possible to update the license to AGPL v3.0 which would require for-profit organizations to pay the author for a version of the product under another license or offering a supported version of the product.
Either way his actions have stirred up a conversation on many fronts, from the continuous need for testing to the rights and responsibilities of code owners.
For additional reading see: VessOnSercurity and the general discussion at twitter/color.js and reddit
A look at the corrupted color.js code
As originally reported by Sonatype, “Developers contributing to well-known OSS projects, including Amazon’s Cloud Development Kit (aws-cdk), Facebook’s Jest, Node.js Open CLI Framework,” and Nomic Labs Hardhat were all impacted and expressed concerns as to if colors.js had been hijacked.
As seen below, the affected version of colors.js outputs the text, “LIBERTY LIBERTY LIBERTY,” followed by an ASCII drawing of ‘Uncle Sam’, an American Flag, and a reference to Carl Pilcher. We believe this is a reference to an American Astrobiologist from NASA. This is followed by an infinite loop of this data being introduced by index.js on line 18 causing the output seen below in figure 3.
The corrupt colors.js code seen below has cheekily been referred to by the author as the “zalgo issue.” Zalgo text refers to certain non-ASCII characters that appear glitchy.
/lib/index.js – The Loop
/lib/custom/american.js – The American
The results cause an infinite loop of data that causes a denial of service: offroaders123
Solutions and Recommendations to the Bugs
Regardless of the reasoning behind the author’s choice to introduce his own bugs, there are a few solutions.
First the affected versions of the products are: colors: on GitHub is 1.4.44-liberty-2 and npm versions 1.4.1 and 1.4.2; faker.js: version 6.6.6
- As of this publication all versions of the sabotaged code of colors has been removed from npm. If you are pulling in the latest version of colors from npm you will be fine.
- Downgrading to an earlier version of colors (e.g. 1.4.0) and faker (e.g. 5.5.3) is a safe solution for both.
- Move to the new dev project. Faker is now forked and is being maintained by a new group of developers hosted on npm and GitHub.
It is also always good practice when pulling code from npm to pin your dependency modules to a trusted version instead of pulling in the latest version. Pulling in the latest version always has the risk of introducing new bugs and security vulnerabilities.