npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer
The author of these npm libraries intentionally committed corrupt versions
containing infinite loops, effectively causing a denial of service.
Impact
This incident affected a large but unknown number of users and impacting large downstream projects such as aws-cdk, Jest and Node.js Open CLI Framework.
It triggered another wave of conversations around pinning (locking) dependencies for future-proofing.
A few weeks after this incident, it was announced that the Top-100 npm package maintainers now require 2FA .
Type of Compromise
This incident fits the malicious maintainer definition.
References
- The story behind colors.js and faker.js
- npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer—What to do Now?
- Open Source Developer Sabotages npm Packages ‘Colors,’ ‘Faker’
- https://snyk.io/blog/open-source-npm-packages-colors-faker/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.