Sabotage in an open source project

open source sabotage

A really surprising incident that has happened in the last few days has highlighted how vulnerable the SW/HW supply chain can be and how little support some open projects have (despite their importance). And it is that Marak Squires, a programmer and in charge of maintaining an open source project, sabotaged his own repository in protest for unpaid work and unsuccessful attempts to monetize NPM's faker.js and color.js packages that are used in a wide variety of projects, and these in turn are interdependent on other ecosystems or resources.

This incident highlights a problem serious issue that remains unresolved for the software supply chain, and it is that the code that will end up in computers all over the world cannot be controlled 100%. But this is not an open source problem, in proprietary software the control is even less, and the possibility of correcting it if it has been done intentionally by the developer is nil.

As you know, NPM is not a minor thing, it is about the Node.js package manager, is the world's largest software registry, with hundreds of thousands of packages. It is free to use and tons of third-party scripts and libraries can be downloaded with it.

For affected packages, colors.js is a package with millions of downloads, used by JavaScript and Node.js developers to get custom colors and styles in the console. On GitHub there are 4.3 million projects using it. In this case, malicious code was introduced that caused an infinite loop.

On the other hand, faker.js is another package used by about 168.000 projects. In it he put a message: endgame (end of the game). On the other hand, the page was also deleted, although one solution was to retrieve them from archive.org.

This what may seem like a practical joke at first glance, it had consequences for dependent projects. Also, Squires is not the only maintainer of this repo, but he blocked access to other maintainers to make sure no one could correct his action.

GitHub and NPM reacted quickly, removing the packages and temporarily suspending the author's account, but the damage had already been done.

The developer who sabotaged this open source posted on his personal blog that he did it because no company had financially supported color.js and faker.js. The monthly subscription plans he started didn't work out, and he only received a few donations through sponsorships from GitHub and a few peers. A difficult situation that ended with a problem for many.

All this caused a debate on Twitter with detractors and supporters of open source. Many also fear that open source maintainers will take their cue and do the same to other projects if the private organizations that exploit the code don't help out financially.


A comment, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Liam said

    And why didn't you abandon the project?
    It would have been better if he had dedicated himself to creating and selling proprietary software if what he wanted was to become a millionaire.

    Wow, there are such selfish people in the world, with the mentality of "if you're not mine, you're not anyone else's".