An open source developer sabotaged the Npm and Github libraries after introducing unnecessary file revisions to them. According to the report, “color.js.” and “fake.js.” have been corrupted.
At present, this latest version was still undergoing some modifications while the old version had reverted to its “working” version. However, a cybersecurity post wrote that it could be fixed by reverting to version 5.5.3.
Developer corrupts open source libraries
(Photo: Pankaj Patel from Unsplash)
Developer suspended after intentionally sabotaging GitHub and other open source libraries
According to a report by Computer beep, a developer named Marak Squires added a file review to the open source library. The smart commit with the new US flag module and version 6.6.6 of fake.js seem to have hit the Npm libraries.
The tech site noted that once these versions were installed, there would be an infinite loop for apps. Strange symbols will appear on the project which shows the texts “LIBERTY LIBERTY LIBERTY”.
Additionally, the case involved modifying the faker.js Readme file. It was discovered that his current name was changed to “What Really Happened With Aaron Swartz?”
The name mentioned in the file was a developer who became well known for his contributions to several communities such as Reddit, RSS, and Creative Commons.
However, it was discovered that he was the culprit behind documents stolen from the academic database. He made these sources available for free public access. Two years later he committed suicide and since then some theories and rumors have surfaced about his death.
What Marak did at GitHub was alarming. Since many depend on faker.js and color.js for their projects, corrupted libraries cost them a lot of resources.
In the middle of the issue, Squires wrote an update to the open source library to respond immediately. According to the developer, the previous faker.js package on NPM has reverted to its old version. His GitHub account has been suspended, according to his tweet last week.
NPM reverted to a previous version of the faker.js package and Github suspended my access to all public and private projects. I have hundreds of projects. #AaronSwartz pic.twitter.com/zFddwn631S
– marak (@marak) January 6, 2022
Associated article: GitHub Copilot works as an AI pair programmer for developers; Goes well with Visual Studio code
Squires is suspended
The edge reported that shortly after he tweeted about his suspension from GitHub, it appears to have eased already. The chronology of the Squires case follows this period.
On January 5th he injected the faker.js commit into the Npm libraries, and two days later (January 6th) he was banned. The suspension lasted until January 7. At the time of writing, there was no mention if his account was facing a new ban.
Dating back to November 2020, Bleeping Computer spotted a few important messages from Squires. According to the tech site, the developer said it would no longer be doing “free work.”
Around this time, Tech Times reported that malicious JavaScript libraries were infecting libraries and making them vulnerable to computer threats.
“Respectfully, I will no longer support the Fortune 500 (and other smaller companies) with my free work. Take this opportunity to send me a six-figure annual contract or fork the project and get someone to work. ‘other on it. “
The Verge wrote in their report that the issue surrounding Squires could be one of the many issues that developers face every day. The problem stems from their “free” service at the cost of unpaid debts and endless bug fixes on open source platforms.
Read also: BitMart Hack: victims still waiting for compensation from the Crypto platform, not yet reimbursed
This article is the property of Tech Times
Written by Joseph Henry
2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.