Connect with us


Developer breaks hundreds of applications by corrupting NPM libraries’ “colours” and “faker”



applications by corrupting NPM libraries

Users of the well-known open-source libraries “colours” and “faker” were astounded to see their programmes, which used these libraries, printing and breaking nonsense data.

Some people wondered if the NPM libraries had been hacked, but the truth is far more complicated.

Thousands of projects that depend on “colours” and “faker” were broken by an endless loop that the creator of these libraries purposefully inserted.

Nearly 19,000 applications use on the colours package, which has over 20 million weekly downloads on npm alone. Faker, on the other hand, has over 2,500 dependents and receives over 2.8 million weekly downloads on npm.

Revolution in Open Source?

The creator of the well-known open-source NPM libraries “colours” (also known as colors.js on GitHub) and “faker” (also known as faker.js on GitHub) purposefully included malicious contributions that have an effect on millions of apps that rely on these libraries.

Yesterday, users of well-known open-source projects, including Amazon’s Cloud Development Kit (aws-cdk), were astounded to find messages printed in gibberish on their consoles by their apps.

In these messages, the word “LIBERTY” was followed by a string of non-ASCII characters:

Users first believed that the “colours” and “faker” libraries used by these projects were hacked [1, 2, 3], much as how the coa, rc, and ua-parser-js libraries were taken over by criminal actors last year.

However, as noted by BleepingComputer, it appears that the developer of these two programmes knowingly committed the code that led to the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js package yesterday and published version v1.4.44-liberty-2 to GitHub and npm. On npm, corrupted versions 1.4.1 and 1.4.2 also appeared.

For any apps that require “colours,” the code’s infinite loop will continue to execute indefinitely, outputting the non-ASCII nonsensical character sequence again on the console.

The developer sneered, “It’s come to our knowledge that there is a zalgo problem in the v1.4.44-liberty-2 version of colours.

Please be assured that we are trying to resolve the issue and will have it resolved soon.

Zalgo writing describes several non-ASCII characters that have glitchy appearances.

This developer’s mischief appears to be motivated by retaliation—against large businesses and commercial users of open-source projects that heavily rely on free and community-powered software but do not, in the developer’s opinion, contribute back to the community.

Marak had issued a warning in November 2020 stating that he would stop providing “free work” to large organisations and that businesses should instead think about forking the projects or paying the developer an annual “six figure” compensation.

Respectfully, I will no longer provide free services to Fortune 500 corporations (and other smaller businesses). Nothing else has to be said,” the developer had previously written.

“Use this as a chance to offer me a six-figure contract each year or to split the project and assign it to someone else.

Intriguingly, as of today, BleepingComputer observed that the developer has also changed the README page for faker’s GitHub repository to mention Aaron Swartz:

How did Aaron Swartz truly fare?

American hacktivist, entrepreneur, and programmer Swartz committed suicide after losing a court case.

The hacktivist allegedly repeatedly changed his IP and MAC addresses to get around the technological barriers set up by JSTOR and MIT in order to download millions of journal articles from the JSTOR database accessible via the MIT campus network in an effort to make information freely available to everyone.

In the course of accomplishing this, Swartz could have violated the Computer Fraud and Abuse Act, which carries a maximum sentence of 35 years in jail.

uncanny worms in a can

Marak’s audacious action has sparked controversy and drawn conflicting reactions.

The developer’s efforts have drawn plaudits from certain members of the open-source software community while drawing condemnation from others.

“It appears that the “colors.js” creator is upset about not getting paid… He then made the decision to print the American flag each time his library was loaded “one user tweeted.

Some referred to this as “yet another OSS developer going rogue,” however infosec specialist VessOnSecurity referred to the move as “irresponsible,” saying:

“Don’t publish free code if you have issues with businesses utilising it for free. By destroying your own widely used products, you harm everyone who uses them as well as large business. This teaches people to avoid updating because things can fail.”

According to reports, GitHub has suspended the developer’s account. And even it has elicited conflicting responses:

“Is it against [GitHub’s] TOS to remove your own code from the site? WTF? This is an abduction. We must begin decentralising the hosting of open-source software, “Sergio Gómez, a software developer, answered.

“I have no idea what occurred, but I am hosting all of my projects on a private instance of GitLab just in case. Never put your faith in an internet provider, “tweeted one more.

Marak yelled faker and colours, sabotaged a lot of initiatives, and anticipated nothing to happen? commented Piero, a developer.

Note that Marak’s unexpected action comes after the recent Log4j fiasco, which lit up the internet.

A wide variety of Java applications, including those created by companies and commercial entities, heavily utilise the open-source library Log4j.

However, soon after the Log4shell flaw was widely exploited, the open-source library’s maintainers worked unpaid overtime over the holidays to patch the project as more and more CVEs were being found.

Large corporations were accused of “exploiting” open-source software by consuming it endlessly while providing little support for the unpaid volunteers who give their time to maintain these vital projects.

The Log4j maintainers, who were already “working sleeplessly on mitigation measures; patches, documentation, CVE, responses to questions, etc.,” were also attacked by some [1, 2, 3].

One Twitter user stated, “The replies to the colors.js/faker.js author trashing their own packages are extremely telling about how many corporate devs think they are ethically entitled to the unpaid labour of open source developers without putting anything back.”

Time will tell what the OSS sustainability issue means for the future of open-source software.

Users of the “colours” and “faker” NPM projects should make sure they are not utilising a dangerous version in the meantime. One remedy is to downgrade to an earlier version of faker and colours, such as 5.5.3 and 1.4.0, respectively.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 4 =


temukan arah kiblat



Are you looking for information on temukan arah kiblat? You have come to the right place! In this blog post, we will provide a step-by-step guide on temukan arah kiblat

Temukan arah Kiblat, di mana pun Anda berada. – Qibla Finder

Temukan arah kiblat langsung dari browser, di mana pun Anda berada.

Temukan Arah Kiblat yang Tepat dengan Aplikasi IOS & Android

kompas arah kiblat- Find Qibla – Aplikasi di Google Play

Aplikasi pencari kiblat adalah kompas GPS yang membantu umat Islam menemukan arah kiblat dari mana saja di dunia. Kompas kiblat menggunakan lokasi Anda saat …

Kompas Kiblat- Arah Kiblat – Aplikasi di Google Play

Kompas Kiblat memberi Anda arah kiblat yang akurat dari seluruh dunia. Ketahui arah kiblat yang tepat menggunakan aplikasi locator kiblat. Temukan ka’bah …

3 Cara Menemukan Arah Kiblat untuk Sholat secara Online

Arah Kiblat – Kiblat Online – Kompas Arah Kiblat

Temukan arah kiblat sekarang secara online di sini. Sekarang Anda bisa cari arah kiblat Anda dengan dua cara: Anda dapat menemukan arah kiblat Anda dengan …

Temukan Arah Kiblat yang Tepat dengan Aplikasi Android dan iOS Ini

Cara Temukan Arah Kiblat untuk Sholat, Online Lebih Mudah

Cara Temukan Arah Kiblat Sholat dengan Aplikasi Android dan iOS

Penunjuk Arah Kiblat dengan Peta Google – Alhabib –

Menentukan Arah Kiblat … Mulai dengan memasukkan nama desa atau tempat saja. Nama tempat yang terdiri dari 2 kata, kadang perlu dicari sebagai satu kata. Misal, …

Cara Temukan Arah Kiblat Pakai Smartphone Tanpa Pasang Aplikasi

Temukan Arah Kiblat: Kompas APK (Android App) – Descarga Gratis

Pencari kiblat adalah aplikasi pencari kiblat kompas kiblat terbaru untuk menemukan arah kiblat yang akurat. Arah Mekah diperlukan bagi setiap Muslim untuk …

Temukan Arah Kiblat Secara Mudah, dengan 5 Aplikasi Ini –

Arah Kiblat untuk Nagrak – Qibla Finder

Gulir searah jarum jam saat jarum kompas mengarah ke utara (N) dan temukan sudut kiblat. Sekarang Anda dapat melakukan doa Anda ke arah arahan kiblat. Aktifkan …

Kompas Kiblat, Arah Kiblat AR 4+ – App Store – Apple

Baca ulasan, bandingkan penilaian pelanggan, lihat jepretan layar, dan pelajari lebih lanjut mengenai Kompas Kiblat, Arah Kiblat AR. Unduh Kompas Kiblat …

Continue Reading


What is faze save kidshaywarddecrypt?




faze save kidshaywarddecrypt

“Faze Save Kidshaywarddecrypt” likely refers to a meme or joke within the gaming community.

Esports faze save

“Faze Clan” is a professional esports and entertainment organization, primarily known for their presence in the Call of Duty and Counter-Strike: Global Offensive scenes. “Faze Save” could refer to a clutch play or a significant moment in a match where a player from the Faze Clan saved the round for their team. However, without more context, it’s difficult to determine the specific meaning of “Faze Save.”

Several players of the popular esports FaZe clan were suspended recently for promoting a controversial cryptocurrency called Save The Kids. Save The Kids was advertised as an alternative to Dogecoin and Etherium, and it promised to donate a portion of the proceeds to a charity. The controversy caused a huge backlash from fans, who slammed the clan for its shady business practices.

The members of FaZe Clan have denied being involved with the scheme, but anyone found to be involved in the scheme could face serious consequences. FaZe Clan’s reputation could be ruined, and potential sponsors could be discouraged from working with the group.

Faze clan save

“Faze Clan Save” could refer to a clutch play or a significant moment in a match where a player from the Faze Clan saved the round for their team. It might be used to describe a play that was critical to the outcome of a match and helped secure a win for Faze Clan.

faze save the kids

“Save the Kids” is a phrase that has become popular in internet culture and is often used as a hashtag or meme. The exact meaning of “Save the Kids” varies depending on the context, but it generally refers to a call to action or a show of support for a cause, often related to children’s rights, safety, or well-being.

In the context of “Faze Save the Kids”, it’s possible that it is a reference to the Faze Clan supporting the “Save the Kids” cause or using the phrase as a rallying cry within the gaming community. However, without more context, it is difficult to determine the exact meaning.

Continue Reading


Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)



sources monday spotifykafkavox

Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)

Peter Kafka / Vox:

Several audio products, including a Clubhouse-like app, a podcast finding service integrated with Spotify, and more, will be unveiled by Facebook on Monday, according to sources. On Monday, there will be announcements, although some things won’t be available for some time. — Facebook wants you to start communicating with others on the site.

Continue Reading