The eccentric developer behind two immensely popular open-source NPM coding libraries recently corrupted them both with a series of bizarre updates—a decision that has led to the bricking of droves of projects that relied upon them for support.
However, Squires recently made the bizarre decision to mess all that up when he executed a number of malicious updates that sent the libraries haywire—taking a whole lot of dependent projects with it. In the case of Colors, Squires sent an update that caused its source code to go on an endless repeating loop. This caused apps using it to emit the text “Liberty Liberty Liberty,” followed by a splurge of meaningless, garbled data, effectively crippling their functionality. With Faker, meanwhile, a new update was recently introduced that basically nuked the library’s entire code. Squires subsequently announced he would no longer be maintaining the program “for free.”
The whole episode, which sent developers that rely on both programs into panic mode, appears to have been first observed by researchers with Snyk, an open-source security company, as well as BleepingComputer.
The most perplexing thing about this whole episode is that it’s not entirely clear why Squires did this. Some online commentators attributed the decision to a blog post he published in 2020, in which he railed against big companies’ use of open-source code from developers like himself. It’s true that corporate America tends to cut fiscal corners by exploiting freely available coding tools (just look at the recent log4j debacle, for example), though, if you’re an open-source coder, you would ostensibly know and expect that.
Indeed, the way in which Squires blitzed his libraries seems to defy simple explanation. For one thing, the commits that messed with the libraries were accompanied by odd text files that, in the case of the Faker update, referenced Aaron Swartz. Swartz is a well-known computer programmer who was found dead in his apartment in 2013 of an apparent suicide. Squires also made a number of other odd public references to Swartz around the time of the malicious commits.