JavaScript developer destroys own projects in supply chain ‘lesson’ – Naked Security

You’ve probably seen the news, even if you’re not sure what happened.

Unless you’re a JavaScript programmer and have relied on either of a pair of modules called faker.js and colors.js.

If you were a user of one of these projects, and if you are (or were!) inclined to automatically accept all updates to your source code without any sort of code review or testing…

… you probably know very well what happened and how it affected you.

Supply chain attacks

Long-time readers of Naked Security will be familiar with the problem of the so-called supply chain attacks in open source software libraries, as we have already written about this type of problem in programming ecosystems.

We’ve written about security vulnerabilities suddenly appearing in many coding communities, including PHP programmers, Pythonistas, Ruby users, and NPM fans.

Last year, we even had reason to debate the morality of so-called academic researchers who deliberately used the Linux kernel source code repository as a testing ground for what they shamelessly called the hypocrite commits.

Software supply chain attacks typically involve toxic, dangerous, or otherwise deliberately modified content that infects your network or development team indirectly, unlike a direct hack where attackers break into your network and mount a front-end attack.

Supply chain attacks are often transmitted completely unintentionally by one of your product and service providers, who themselves may have ingested unauthorized changes from someone upstream, etc.


Click and drag on the sound waves below to jump to any point in the podcast.
You can also listen directly to Soundcloud, or read a full transcript.

Unethical, maybe, but sometimes not criminal

As mentioned above, however, supply chain problems of this type do not always stem from criminal intent, even though they may ultimately be deemed unethical (or childish, or poorly thought out, or a combination thereof).

We’ve already mentioned the hypocritical commits, which were meant to remind us all that it’s possible to inject malicious backdoor code under the guise of two or more modifications that don’t introduce security holes on their own. , but create a vulnerability when combined.

And we linked to the story of a “researcher” who was so keen to remind us how easy it is to create treacherous software packages that he deliberately downloaded nearly 4000 of them in a sustained burst of ” usefulness”.

As we suggested at the time, these two “experts” – the hypocrites and the overloaders – seem to have adopted the selfish motto that hard work is worth it. to overdo

…thereby creating huge amounts of unnecessary work for other innocent volunteers in the Linux and Python communities respectively.

Colors and Faker go rogue

This time, the founder of two JavaScript coding modules known as colors.js and faker.js threw two slightly different keys into the works.

Colors is a simple little toolkit that helps you add colored text to your console output, often in order to make the information more interesting to look at and easier to read.

For example, when we recently made our Log4Shell – The Movie video, we added a splash of color to the output of our mock LDAP server to help track incoming requests, using ANSI control sequences in the terminal output. to add green. and red marks to indicate successes and failures:

Sparing use of green and red terminal markers for visual appeal and clarity.

Unfortunately for colors.js users, the founder of the project, after not releasing any updates since 2019, suddenly added a new code to take the version number from 1.4.0 to the somewhat unusual version id of 1.4.4-liberty-2.

Fed up, apparently, with never getting the financial recognition he felt he deserved from the many people who used his work, the founder trashed his own code by adding an infinite loop like this:

/* remove this line after testing */
let am = require('../lib/custom/american');
for (let i = 666; i < Infinity; i++) {
  if (i % 333) {
    // console.log('testing'.zalgo.rainbow)
  console.log('testing testing testing testing testing testing testing'.zalgo)

The loop at the end of this code prints the text testing testing ... testing over and over again, after applying a function called zalgo to that.


Zalgoificationif you’ve never heard of it, is a way to make ordinary roman characters look weird and meaningless by peppering them with accents, cedillas, umlauts, and other so-called diacritics – a bit like naming your group Motorhead instead of motor headbut without the constraint of adding a single additional symbol.

Zalgoed text is not only meaningless, but also often puts a heavy load on the underlying text rendering software that tries to typeset and lay it out for display.

A human calligrapher would balk at being asked to add all possible accents to every letter of a word, knowing it would make no sense.

But a computerized composer will simply try to oblige by combining all the markings you request, giving your band Zalgometal a stylized name something like this:

Diacritical marks added randomly and without meaning in the text

A memorial to Aaron Schwartz

Fake users experienced a different kind of update, with the project essentially being wiped out and replaced with a README file requesting “What really happened with Aaron Swartz?

Schwartz, a “hacktivist” charged with federal offenses related to unauthorized access to academic documents that he says should not be kept behind a paywall, sadly committed suicide while in custody. stress of awaiting trial.

The Faker project is coming to an end. Note the “endgame” comment, the lack of source code files,
and the README recalling Aaron Schwartz.

Faker was a handy developer toolkit that made it easy to generate large amounts of realistic but invented data for quality assurance, such as creating 100,000 names and addresses that you could add to your user database during Development.

Fake data is an essential aspect of avoiding a privacy disaster while you’re still working with incomplete and untested code, because it means you’re not exposing authentic and sensitive data in a thoughtless (and possibly illegal).

The Faker author apparently tried to bring the project to market in 2021, but was unsuccessful, so it looks like he’s now given the code his coup de grace.

This plan apparently went nowhere, with little funding coming from enterprise users.

Since the code has been released for many years under the MIT license – which basically means anyone can use it for free, even in commercial closed-source products, as long as they don’t claim to have it created itself – there is nothing preventing existing users from continuing with the previous version, or even any previous version.

They can even make their own changes and improvements as they see fit…

…so it’s not clear what the end result of the project’s spectacular destruction will be for the author, given that he can’t retrospectively rewrite the licenses of users who have already downloaded and deployed it.

Does anyone win or do we all lose?

As one aggrieved commenter put it (someone who presumably pushed the update to production without reviewing what changed, and suffered a temporary outage as a result), it didn’t really end well for anyone. :

Isn’t it interesting that it’s people with no reputation who seem to think that reputation has no value? To all the people here who say “we learned a valuable lesson about trusting free software”; understand this…

To cause me 15 minutes of grief, all Marak had to do was irreversibly destroy his own reputation.

Whose side are you on in a matter like this? Let us know in the comments below…

Comments are closed.