Best of 2022: npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by Their Maintainer—What to do Now?

As we close out 2022, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2022.

In what can only be described as one of the most bizarre events in the history of open source, we find that the massively popular open source libraries, colors.js, and faker.js were sabotaged by their very own maintainer, as I first reported on over the weekend.

To avoid any confusion, the GitHub project colors.js is known as simply ‘colors’ on the npm repository and has scored more than 3.3 billion downloads throughout its lifetime and has over 19,000 projects that depend on it. Similarly, faker.js exists on npm as ‘faker’ and has been retrieved 272 million times from the npm repository, with over 2,500 dependents. Both projects are developed and maintained by the same author, Marak Squires.

Note, hijacked versions of both projects were recorded as “malicious” in Sonatype’s data under identifiers: sonatype-2022-0215 and sonatype-2022-0216. The security data was made available to our customers the same day.

The immense download rate of these two components can be attributed to the basic, but essential, functionality they provide to JavaScript developers: ‘Colors’ lets you print colorful text messages on the console, whereas ‘faker’ helps devs generate fake data for their applications, for testing or staging purposes.

‘Colors’ and ‘faker’ Debacle Hits Thousands of Applications

Many open source developers found themselves at unease yesterday after suspecting that these popular dependencies–’colors’ and ‘faker’ had been compromised. Given the recent ua-parser-js and coa/rc npm library hijacking incidents, such an assumption would have been reasonable, after mysterious ‘colors’ versions 1.4.1, 1.4.2, and 1.4.44-liberty-2 appeared on npm:

Those whose applications pulled this recently published (Read more...)