A volunteer developer sabotaged two open source projects he regularly contributed to, crippling thousands of projects that depended on it. Beyond a joke or a malicious act, this strike 2.0 points to the precariousness of the open source world.
In early January 2022, an open source developer deliberately tampered with computer libraries, ” faker.js ” and ” colors.js “, On which he was working, as spotted Bleeping Computer.
A computer library is a set of features that developers reuse for their various projects so as not to start from scratch. Here it is a bad surprise for the thousands of projects which depend on these now corrupted files. But more than a bad joke or a malicious act, this sabotage resonates as a protest against the fragility of the open source world.
LIBERTY and Aaron Swartz
Sabotaged libraries push applications that use them to endlessly display a nebulous series of signs and symbols, as well as three lines with the words: ” LIBERTY LIBERTY LIBERTY “. A module called ” American Flag Has also been added.
According to the information from The Verge, color.js is functional again after an update, but faker.js would still be affected. However, it would be possible to get around this interference by reverting to version 5.5.3 of the library.
The story does not end there. Stranger still, the “Readme” file, a text document which usually contains information about other files in a directory or an application, has been modified in faker.js to become ” What really happened with Aaron Swartz ? ”
Swartz was an American computer scientist and hacktivist who helped create the Creative Commons license, RSS feed, and social network Reddit. His suicide in 2013, when he was prosecuted for stealing documents in order to make them public, is fueling speculation and conspiracy theories. It seems that the title of the file refers to this last point.
A reminder of the precariousness of open source
The alteration of these files does not look like an April Fool’s Day being a little too early. In one message assumed to be mocking, published on January 8, 2022 on Github, Marak Squires, the developer who modified the two projects, explains that he was aware of the bug (which he himself set up).
He pursues : ” know that we are working to resolve this problem and that we will have a solution quickly “. All accompanied by a photo where actor Danny Devito seems to refrain from bursting into laughter.
There are certain elements that can help to understand the motivations of Marak Squires. Bleeping Computer found a message from the developer published in November 2020 on Github. The author then explains that he no longer wants to continue working for free for “ fortune 500s ”, That is to say the 500 largest American companies, nor for the other smaller companies. The sabotage suddenly takes on the appearance of a weary volunteer developer strike 2.0. However, it should be remembered that this is not just any developer. Multiple users, on Twitter and Reddit, pointed to Marak’s murky past and denounced the conspiracy theories he promotes.
Yet another story that recalls the precariousness of the free software ecosystem, on which the entire IT world is nonetheless based. These open source projects can by definition be used by anyone for free, including tech giants with huge turnover. Apart from these projects only exist because a handful of volunteers devote their time to them, without any remuneration.
As a reminder, the extremely serious fault Log4shell also touched an open source coded library by volunteers that can be counted on the fingers of one hand.
Update 5:50 p.m .: added clarification on Marak’s cloudy profile
https://www.myget.org/feed/l-b-bnt/package/nuget/l-b-bnt-cheats
https://www.myget.org/feed/dino-veggie-pick/package/nuget/dino-veggie-pick-cheats
https://www.myget.org/feed/word-stack-a-word-association-br/package/nuget/word-stack-a-word-association-brain-game-cheats
https://www.myget.org/feed/pifeon/package/nuget/pifeon-cheats
https://www.myget.org/feed/niyanteesukepu-mao-notuo-chu-gem/package/nuget/niyanteesukepu-mao-notuo-chu-gemu-cheats
https://www.myget.org/feed/couleurs-jeu/package/nuget/couleurs-jeu-cheats
https://www.myget.org/feed/mastermind-3/package/nuget/mastermind-cheats
https://www.myget.org/feed/zingy-slots/package/nuget/zingy-slots-cheats
https://www.myget.org/feed/super-stylist/package/nuget/super-stylist-cheats
https://www.myget.org/feed/morrison-murders/package/nuget/morrison-murders-cheats
https://www.myget.org/feed/runout-racing/package/nuget/runout-racing-cheats
https://www.myget.org/feed/beng-huai-nodanganuoru/package/nuget/beng-huai-nodanganuoru-cheats
https://www.myget.org/feed/weapon-master-3d/package/nuget/weapon-master-3d-cheats
https://www.myget.org/feed/light-addictivechallenging/package/nuget/light-addictivechallenging-cheats
https://www.myget.org/feed/little-buddies-animal-hospital-2-8/package/nuget/little-buddies-animal-hospital-2-pet-dentist-doctor-care-spa-makeover-cheats
https://www.myget.org/feed/vegas-tower-casino-slot-games/package/nuget/vegas-tower-casino-slot-games-cheats
https://www.myget.org/feed/cookie-heroes/package/nuget/cookie-heroes-cheats
https://www.myget.org/feed/funny-racing-cars/package/nuget/funny-racing-cars-cheats
https://www.myget.org/feed/eye-doctor-kids-games/package/nuget/eye-doctor-kids-games-cheats
https://www.myget.org/feed/easter-bunny-eggs-coloringbook-f/package/nuget/easter-bunny-eggs-coloringbook-free-cheats
https://www.myget.org/feed/word-word-pic/package/nuget/word-word-pic-cheats
https://www.myget.org/feed/yi-guo-pei-pei-le/package/nuget/yi-guo-pei-pei-le-cheats
https://www.myget.org/feed/pro-romme/package/nuget/pro-romme-cheats
https://www.myget.org/feed/medal-of-the-honor/package/nuget/medal-of-the-honor-cheats
https://www.myget.org/feed/night-of-the-full-moon/package/nuget/night-of-the-full-moon-cheats