The developer of open-source NPM l “colors” and “faker” libraries deliberately pushed a malicious update to all projects, affecting thousands of apps. While the developer’s decision was meant as a political statement, it underlines the massive security risk taken by companies using open-source libraries.
When problems with NPM libraries hit the news, it’s usually because someone provided software developers with malicious libraries. The technique is essentially the same every time. Attackers make a slight change to the name of a famous library, hoping to trick people into downloading it and providing them with an entry point for future intrusions.
When the ‘colors’ and ‘faker’ NPM libraries started to affect the applications using them, the first suspicion was that criminals had compromised the libraries in a man-in-the-middle attack. It turned out that the developer himself pushed the compromised updates.
According to a Bleeping Computer report, numerous app developers started to see problems after installing the update, only to find that the libraries’ creators intentionally sabotaged them.
The update to both the libraries introduced an infinite loop, which made the apps unusable. The libraries’ developer was unhappy that many Fortune 500 companies have been using this code to create apps for profit, and this malicious update was his way of getting back at them. Thousands of projects use these two libraries, so the number of affected apps is considerable.
It’s unclear how many downloaded the new versions, but GitHub quickly took down the projects, just like it would do for any other malicious package. Of course, downgrading to an earlier version is recommended, 1.4.0 for ‘colors’ and 5.5.3 for ‘faker’.