Developer Gets Suspended After Intentionally Sabotaging GitHub and Other Open-Source Libraries

An open-source developer sabotaged Npm and Github libraries after he introduced unnecessary file revisions on them. According to the report, "color.js." and "fake.js." have been corrupted.

At the moment, the latter version was still undergoing some changes while the former version was reverted to its "working" version. However, a cybersecurity publication wrote that it could be solved by going back to the 5.5.3 version.

Developer Corrupts Open-Source Libraries

Developer Gets Suspended After Intentionally Sabotaging GitHub and Other Open-Source Libraries
Developer Gets Suspended After Intentionally Sabotaging GitHub and Other Open-Source Libraries Pankaj Patel from Unsplash

According to a report from Bleeping Computer, a developer named Marak Squires added a file revision on the open-source library. The malignant commit with the new American flag module and fake.js version 6.6.6 appeared to have hit the Npm libraries.

The tech site noted that once these versions are installed, there would be an infinite loop for the apps. Strange symbols will appear on the project which shows the "LIBERTY LIBERTY LIBERTY" texts.

Furthermore, the case involved the alteration of the faker.js Readme file. It was discovered that its current name was changed to "What really happened with Aaron Swartz?"

The mentioned name in the file was a developer who became well-known for his contributions to several communities such as Reddit, RSS, and Creative Commons.

However, he was found out to be the culprit behind stolen documents from the academic database. He made these sources available for free public access. Two years later, he committed suicide and since then, some theories and rumors surfaced upon his death.

What Marak did to GitHub was something alarming. Since many depend on faker.js and color.js for their projects, the corrupted libraries cost them a lot of resources.

Amid the issue, Squires wrote an update on the open-source library to immediately respond. According to the developer, the previous faker.js package on NPM reverted to its old version. His GitHub account was suspended, per his tweet last week.

Related Article: GitHub Copilot Works as An AI Pair Programmer For Developers; Goes Well With Visual Studio Code

Squires Gets Suspended

The Verge reported that shortly after tweeting about his GitHub suspension, it appears that it has eased up already. The timeline for Squires' case follows this period.

On Jan. 5, he injected the faker.js commit to Npm libraries, and two days later (Jan. 6), he was slapped with a ban. The suspension lasted until Jan. 7. At the time of writing, there was no mention if his account faced another ban anew.

Dating back to November 2020, Bleeping Computer spotted some important posts from Squires. According to the tech site, the developer said that he would no longer do "free work."

At this time, Tech Times reported that malicious JavaScript libraries infected libraries and made them vulnerable to computer threats.

"Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it."

The Verge wrote in its report that the issue surrounding Squires could be one of many issues that developers face every day. The problem arises from their "free" service at the cost of being unpaid and endless bug fixing on the open-source platforms.

Read Also: BitMart Hack: Victims Still Waiting for Compensation from Crypto Platform, Not Yet Paid Back

This article is owned by Tech Times

Written by Joseph Henry

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics