January 10 2022 | 1 min read
Technical | January 10 2022 | 1 min read
Fourteen months after declaring “Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies ) with my free work,” developer Marak Squires introduced corrupt updates to the colors.js and faker.js libraries, resulting in an infinite loop that prevented thousands of applications from functioning.
While many people in the open source community might be familiar with the sentiment, this action by Squires to sabotage his own code base was really something out-of-the-ordinary.
colors.js is a very useful and highly-rated NPM package that enables developers to easily control console output text and background colors. It is downloaded 22.4 million times per week. Faker.js, which is downloaded 2.5 million times weekly, generates fake data for demos.
Squires inserted an infinite loop that sends an artistic interpretation of a console-based American flag and anUncle Sam-like character onto the screen, causing the systems using it to halt. This resulted in a Denial-of-Service attack on applications that consumed the affected version of the package.
Commit contents shown below:
We used Apiiro to analyze the colors.js repository and out of 259 commits, only one was flagged as an anomaly: the malicious commit “074a0f8” from Jan 9.
As an industry, we need to use this incident as an opportunity to rethink how we secure our Software Development Lifecycle, from custom code to open source dependencies. Specifically, here are a few recommendations: