Updated  Two popular open-source packages were recently sabotaged with mischievous commits, creating confusion among those using the software and exac

JavaScript dev deliberately screws up own popular npm packages to make a point of some sort

submited by
Style Pass
2022-01-12 16:30:11

Updated Two popular open-source packages were recently sabotaged with mischievous commits, creating confusion among those using the software and exacerbating concerns about the fragility of the open-source software supply chain.

The npm packages, faker.js and colors.js, were not hijacked by outsiders, as has been known to happen; rather their creator added code to the software libraries that made them malfunction.

Three days ago, developer Marak Squires added a "new American flag module" to colors.js, a module to simplify printing colored text in the developer console. The new code printed the word "LIBERTY" multiple times and an ASCII-flag to the developer console and went into an endless loop.

Six days ago, faker.js, used for generating fake data for API testing, also received an unexpected update: it removed the code, added the commit message "endgame," and replaced the ReadMe file with the question, "What really happened with Aaron Swartz?"

Swartz, something of an internet legend for his advocacy and tragedy, killed himself almost a decade ago following his indictment for downloaded millions of JSTOR documents from MIT's network. Tomorrow, January 11, 2022, will be the ninth anniversary of his death. Squires appears to prefer a surreal conspiracy theory cited in a recent Twitter post.

Leave a Comment