/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

An open-source developer, expressing regret for supporting “Fortune 500s”, breaks ~19K projects by corrupting popular NPM libraries; GitHub reverts the changes

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications …

BleepingComputer Ax Sharma

Related Coverage

Discussion

  • @bleepincomputer @bleepincomputer on x
    Scoop: Developer sabotages ‘colors.js’ and ‘faker.js’ open-source projects, breaking thousands of projects, in retaliation against big businesses exploiting open-source - @Ax_Sharma https://www.bleepingcomputer.com/ ...
  • @marak @marak on x
    NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz https://twitter.com/...
  • @webjedi @webjedi on x
    So, oddly one thing I didn't cover in my last article... but it was in the back of my mind when you look into developer psyche and abuse from large orgs who abuse the “free, community aspect” of many FOSS projects. That and rifts in project leadership & poison pills. https://twit…
  • @vessonsecurity @vessonsecurity on x
    This is fucking irresponsible. If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break. https:…
  • @sgomez Sergio Gómez on x
    Removing your own code from @github is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code. https://twitter.com/...
  • @infosec_taylor Ashley on x
    Not a fan of the approach. It's never the companies that get hurt over this stuff, just the worker bees who suffer and get fired. https://twitter.com/...
  • @carnage4life @carnage4life on x
    It's notable how the same VC firm consistently finds platforms that centralize previously decentralized efforts then make billions adding usability to accessing other people's Open Source & creative projects. https://a16z.com/...
  • @lefterisjp @lefterisjp on x
    an #opensource developer (@marak) botched 2 of his javascript packages in order to send a message opensource work should be funded and not just exploited by the big corps that leech off the hard work of passionate devs https://github.com/... He is now being called a terrorist htt…
  • @chr1sa Chris Anderson on x
    I'm a huge believer in open source, but these supply chain vulnerabilities are only going to get worse Best practice is to build a Software Bill of Materials (SBOM) & version manage the whole thing, just as you would with enterprise IT https://www.theverge.com/...
  • @carnage4life @carnage4life on x
    Dev introduces an infinite loop that bricked thousands of projects that depend on their colors.js & faker.js packages. It's in protest of corporations benefiting from Open Source. GitHub responds by reverting the change & banning their account. Centralization strikes again. https…
  • @jgamblin Jerry Gamblin on x
    Apparently, if you sabotage your own code @github will suspend your account. https://www.bleepingcomputer.com/ ... https://twitter.com/...
  • @sigsys @sigsys on x
    While what the dev did was a bit rash and arguably at least somewhat unethical, GitHub suspending his account due to him modifying his own intellectual property is relatively more unethical. The license for his software implies no warranty etc. https://twitter.com/...
  • @iammandatory @iammandatory on x
    Surprised the “chaotic” outcome like this isn't seen more often with so much of programming depending on random devs maintaining projects for free. Ethically pretty interesting too since it is their package/project to with what they want (for the most part). https://twitter.com/.…
  • @bartwronsk Bart Wronski on x
    https://www.bleepingcomputer.com/ ... Are “packages” that are in external repository and automatically update one of the worst ideas when it comes to code safety / security? “Yeah I'll pull and execute arbitrary code from some open source repo” - it always had “wtf” vibes to me.
  • @nyetalia @nyetalia on x
    regardless of any other feelings about the validity of the dev doing this (I personally err on the side of it was dumb) I feel like the real story is how GitHub rolled it back and suspended his account for updating his own project ‘wrong’ https://twitter.com/...
  • @andrestaltz @andrestaltz on x
    Ok, actually, this is pretty inspiring: https://github.com/...
  • @jimfhall Jim Hall on x
    I wish this developer found a different outlet for his frustrations. I get it, some orgs use open source and don't give back. But by this sabotage, you're only teaching people not to trust #OpenSource Dev corrupts NPM libs, breaking thousands of apps https://www.bleepingcomputer.…
  • @mycoliza @mycoliza on x
    time to update your threat model https://twitter.com/...
  • @filosottile @filosottile on x
    How can we even start talking about supply chain security and sustainability if a maintainer publishing a bad npm package version breaks everyone instantly? Stable, deterministic pinning is table stakes. https://www.theverge.com/...
  • @mefrombefore @mefrombefore on x
    if your app pulls random code from the internet to run you deserve everything you get linking to other people's repositories does not count as source control https://twitter.com/...
  • @dominucco Michael Dominick on x
    This is the kind of thing that desperate people do when they aren't paid for their work. I know open-core is a dirty word, but we need a better model for #FOSS than we have. Otherwise, well this is the beginning. CC @ChrisLAS @CoderRadioShow https://www.bleepingcomputer.com/ ...
  • @memotv @memotv on x
    srsly what is this TL? OSS dev @marak sabotages his own js libs w over 20M DL/week & 20K dependents, crashing 1000s of apps. Github reverts libs & suspends his account, for sabotaging his own code. he also suggests Aaron Swartz was murdered for discovering MIT pedo ring 🤯 https:/…
  • @mor10 Morten Rand-Hendriksen on x
    Malicious code in open source libraries is becoming a big issue. https://www.theverge.com/...
  • @jongold @jongold on x
    lol drama https://github.com/...
  • @kennwhite @kennwhite on x
    Good luck to Marak Squires for ever getting hired anywhere in the future. Impact appears significant, including AWS' CDK. https://www.bleepingcomputer.com/ ...
  • @josephmenn Joseph Menn on x
    Well that's one way to drive discussion of the open-source dependency house of cards. https://twitter.com/...
  • @r0wdy_ Ham Elliot on x
    Is your org forking or just saying fuck it we're doing it live? https://twitter.com/...