Developer Gets Suspended After Intentionally Sabotaging GitHub and Other Open-Source Libraries

Joseph Henry, Tech Times 10 January 2022, 12:01 am

An open-source developer sabotaged Npm and Github libraries after he introduced unnecessary file revisions on them. According to the report, "color.js." and "fake.js." have been corrupted.

At the moment, the latter version was still undergoing some changes while the former version was reverted to its "working" version. However, a cybersecurity publication wrote that it could be solved by going back to the 5.5.3 version.

Developer Corrupts Open-Source Libraries

(Photo : Pankaj Patel from Unsplash)
Developer Gets Suspended After Intentionally Sabotaging GitHub and Other Open-Source Libraries

According to a report from Bleeping Computer, a developer named Marak Squires added a file revision on the open-source library. The malignant commit with the new American flag module and fake.js version 6.6.6 appeared to have hit the Npm libraries.

The tech site noted that once these versions are installed, there would be an infinite loop for the apps. Strange symbols will appear on the project which shows the "LIBERTY LIBERTY LIBERTY" texts.

Furthermore, the case involved the alteration of the faker.js Readme file. It was discovered that its current name was changed to "What really happened with Aaron Swartz?"

The mentioned name in the file was a developer who became well-known for his contributions to several communities such as Reddit, RSS, and Creative Commons.

However, he was found out to be the culprit behind stolen documents from the academic database. He made these sources available for free public access. Two years later, he committed suicide and since then, some theories and rumors surfaced upon his death.

What Marak did to GitHub was something alarming. Since many depend on faker.js and color.js for their projects, the corrupted libraries cost them a lot of resources.

Amid the issue, Squires wrote an update on the open-source library to immediately respond. According to the developer, the previous faker.js package on NPM reverted to its old version. His GitHub account was suspended, per his tweet last week.

NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz pic.twitter.com/zFddwn631S
— marak.com (@marak) January 6, 2022

Squires Gets Suspended

The Verge reported that shortly after tweeting about his GitHub suspension, it appears that it has eased up already. The timeline for Squires' case follows this period.

On Jan. 5, he injected the faker.js commit to Npm libraries, and two days later (Jan. 6), he was slapped with a ban. The suspension lasted until Jan. 7. At the time of writing, there was no mention if his account faced another ban anew.

Dating back to November 2020, Bleeping Computer spotted some important posts from Squires. According to the tech site, the developer said that he would no longer do "free work."

At this time, Tech Times reported that malicious JavaScript libraries infected libraries and made them vulnerable to computer threats.

"Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it."

The Verge wrote in its report that the issue surrounding Squires could be one of many issues that developers face every day. The problem arises from their "free" service at the cost of being unpaid and endless bug fixing on the open-source platforms.

This article is owned by Tech Times

Written by Joseph Henry