This site may contain outdated or incomplete information.
npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer
The author of these npm libraries intentionally committed corrupt versions
containing infinite loops, effectively causing a denial of service.
Impact
This incident affected a large but unknown number of users and impacting large downstream projects such as aws-cdk, Jest and Node.js Open CLI Framework.
It triggered another wave of conversations around pinning (locking) dependencies for future-proofing.
A few weeks after this incident, it was announced that the Top-100 npm package maintainers now require 2FA.
Type of Compromise
This incident fits the malicious maintainer definition.
References
- The story behind colors.js and faker.js
- npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer—What to do Now?
- Open Source Developer Sabotages npm Packages ‘Colors,’ ‘Faker’
- https://snyk.io/blog/open-source-npm-packages-colors-faker/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.