An active developer on GitHub has released an update that corrupts two libraries that are used by thousands of open source projects and appears to have done so on purpose.

In the past, the developer had already made headlines for his opposition to the way in which many companies, even very large, use open source code, often supported by volunteers, in their projects that then turn into millions of dollars.

What happened

The developer is called Marak Squires. The two libraries are colors.js and faker.js; the first was downloaded over 23 million times on the NPM platform alone, while the second about 2.4 million times.

Squires has updated the code to show the US flag in non-ASCII characters. The text is introduced by the words “LIBERTY LIBERTY LIBERTY”.

The faker.js library is used to generate fake data for demos; colors.js to add colors to javascript consoles.

The result of this sabotage is that an infinite loop is generated in projects using these libraries in which the software continues to process the non-ASCII character sequence.

As early as November 2020, Bleeping Computer points out, Squires had pointed the finger at large companies that use open source code. “I no longer intend to support companies in the Fortune 500 (a list of the 500 US companies compiled on the basis of turnover, ed.) and that of other smaller companies with my unpaid work“wrote on GitHub.”There isn’t much more to say. Take this opportunity to send me a six-figure annual contract or fork the project and let someone else work on it“. A fork is a version of software that starts from open source code to modify it and thus create a variant of it.

In addition, Squires added the question “What really happened to Aaron Swartz” in the readme file of the faker.js library. Swartz was a free software business and developer. As of April 2011, he was accused of downloading 4.8 million articles from the JSTOR digital academic archive with the intention of distributing them for free. After being released on bail, he faced up to 50 years in prison. Always pleading innocent, in 2013 he committed suicide.

Meanwhile, JSTOR, which offers academic articles dating back to before 1923 and therefore whose original version was in the public domain (but not that of JSTOR), at the end of 2011 had decided to remove copyright protection from its contents. On the other hand, he had decided not to prosecute Swartz, while the United States Department of Justice had gone ahead with the intention of taking Swartz to court.

The same attitude of Squires at the end of 2020 seems to be at the center of the new action, which however has corrupted thousands of projects this time.

Squires’ GitHub account was suspended on January 6th, after it integrated the corrupt update into the faker.js library; but on January 7 he introduced the new version of colors.js: it is therefore not clear whether his account is still suspended or not.

On January 6, Marak himself said, the previous version of faker.js, without the “liberty” update, was restored on NPM.