Late last week, thousands of projects that rely on the open source npm libraries faker and colors, which have over 20 million weekly downloads via npm alone, discovered that both libraries were malfunctioning, thus affecting the performance of their own products.
Both libraries extracted gibberish instead of code, preceded by the words “LIBERTY LIBERTY LIBERTY”. In particular, everyone using the Amazon Cloud Development Kit has had problems.
At first, many assumed that the developer of faker and colors, Marak Squires, was simply hacked, but it soon became clear that this was not the case. The author himself messed up his code, and the readme file accompanying the malicious update showed a message:
“What really happened to Aaron Schwartz?” He duplicated the same message on Twitter, attaching a link to Reddit, where it was condemned that Schwartz was killed after he discovered child porn on the servers of the Massachusetts Institute of Technology.
Squires called the update “the American flag module”, as the ASCII gibberish that occurs when launching libraries was supposed to resemble the American flag.
Reference:
Aaron Schwartz is a famous American programmer, writer and activist who committed suicide in 2013 under strange circumstances.
During his lifetime, Schwartz participated in the creation of Reddit, actively fought against censorship on the Web (in particular, opposed SOPA and PIPA), was a member of the RDF group in the World Wide Web Consortium (W3C).
Shortly before his death, Schwartz was accused of downloading and intending to release documents from the JSTOR library to the public. He was threatened with thirty years in prison and multimillion-dollar fines. Soon, Schwartz committed suicide without even leaving a note.
Many of the craziest theories have arisen around Schwartz’s death, and many are still convinced that the government actually assassinated the activist.
Apparently, Squires decided to mess up the faker and colors code for revenge on corporations and commercial consumers of open-source solutions. This is because they often rely on community-backed free software, but Squires says they don’t give the community anything in return. Back in November 2020, the developer wrote that he was no longer going to support corporations and do “free work” for them. He advised commercial organizations to consider forking or paying him a six-figure salary.
Squires’ act caused a mixed reaction in the community. While some called his actions “a bold move”, others expressed bewilderment and called the deed irresponsibility, and Squires – a fraud.
Later it became known that Squires’ account on GitHub was blocked, which caused another round of network disputes. So, many are perplexed when deleting or corrupting their own code became a violation of the GitHub rules, while others gloatingly note that after disabling thousands of other people’s projects, it would be strange to wait for a different outcome.
You may also be interested to read what GitHub specialists talked about vulnerabilities in npm and that 17 malicious npm packages stole Discord tokens.
