The creator of two JavaScript modules, available on npm and GitHub, has voluntarily released two updates rendering these two modules inoperative. The updates contained a mechanism that caused an infinite loop in programs that loaded one of the two projects, causing unnecessary characters to be displayed in the project console. In the readme files attached to the project, the developer posted a message referring to the death of Aaron Swartz. The hashtag #AaronSwartz was also echoed on the developer’s Twitter account, in a post that appears to claim the malicious updates.
Faker.js is a library for generating fake data on the fly for application testing needs. This program was used by just over 2,500 projects and had no less than 2.8 million weekly downloads. Colors.js, on the other hand, was used in less than 19,000 projects and had 23 million weekly downloads. This module was used to format text within the application, including applying certain colors to the text.
While many users initially suspected a strange hack, it actually appears that the author of both projects intentionally sabotaged his own code. In the case of Faker and Colors, the creator of the two projects had already mentioned in the past the fact that he no longer wanted his code to be used by large companies without compensation, as reported by Bleeping Computer. But the personality and the exact motives of the developer behind this update are difficult to pinpoint, the latter invoking both the memory of Aaron Swartz, but also referring to several conspiratorial theses linked to the Ghislaine Maxwell trial. and to Gamergate on his Twitter account. Since last week and the publication of several apparently ironic messages on the situation, the Twitter account of the author of the two projects remains silent and does not offer more precise explanations on the reasons for his gesture.
Rather Leftpad or Log4shell?
According to the developer’s Twitter account, GitHub suspended its account in response to the release of the malicious update, and npm has restored the working versions of the two projects published on its platform. The decision made many developers react, surprised to see that platforms like GitHub and npm arrogate to themselves the right to reinstate content deleted by a user.
But this is not exactly a first: in 2016, in a similar case this time involving the Leftpad JavaScript module, npm chose to do exactly the same thing by reinstating a module deleted by its author and on which many projects were based. Long before the takeover of npm by Github and Microsoft, the package manager had therefore already chosen to favor the proper functioning of projects dependent on the affected modules, rather than the will of the creator of the initial project.
The case also sheds light on the thorny issue of open source management, already brought to the fore by the flaws discovered in Log4j. Open source projects become the building blocks of many business projects, but the maintainers and developers who work on these essential projects are rarely paid and sometimes work as quasi-volunteers. Besides the question of money, many open source projects only exist thanks to the goodwill of maintainers and developers, and the withdrawal of one project can affect thousands of others by domino effect.