Internet

The insecurity of open-source: a developer has altered two libraries used by millions

The insecurity of open-source: a developer has altered two libraries used by millions

Marak Squires , an open-source developer, has deliberately corrupted the sources of faker.js and colors.js (two libraries downloaded by about 25 million users every week) on GitHub and Npm, making useless any project that makes use of them . The altered versions in fact cause the appearance of strange letters and symbols, which begin with the phrase “LIBERTY LIBERTY LIBERTY.”

The file readme of faker.js has also been modified with “ What really happened with Aaron Swartz? “, a very famous programmer and activist, who committed suicide in 2013.

In a November 2020 post on GitHub, Squires already stated that he no longer wants to work for free , just to support Fortune 500 companies, adding that if he didn't get a six-zero annual contract he would no longer work on the project.

In short, it seems that there is a profound reason behind Squires' move, both financial and ethical . A huge number of applications and websites are based for free on the work of open-source developers, who often do not even see their work recognized, and rather find themselves having to manage bugs and urgent vulnerabilities (net of those who are paid by their company to develop open code). At the same time, the fact that a single developer can cause so much damage (and could be much more malicious), makes us reflect on the entire infrastructure and on the inherent risks it brings with it.

In the meantime color.js has been updated to a working version, while with faker.js it seems that the problem has not yet been solved, but a downgrade to version 5.5.3 should be enough to get around the everything.

Via: The Verge
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top