Open source code libraries Color and Faker were corrupted earlier this week by the software developer who has been maintaining them. The developer’s actions brought down projects from thousands of businesses using the libraries by sabotaging software updates, triggering infinite loops of jumbled code. This, coupled with the recent Log4J security breach, which was triggered by a vulnerability in a piece of open source code, has put the spotlight on the future of open source and whether businesses, many of which heavily rely on freely available software, should exercise more caution.

Colors library sabotage
Two popular open source libraries have been sabotaged… by the developer maintaining them (Photo themotioncloud/iStock)

The malicious updates, which were released earlier this week, triggered an infinite loop, resulting in a denial of service attack to any Node.js server using the libraries. The Colors library, which allows developers to add different styles of colours of font to their node.js servers, is downloaded more than 20 million times a week and used by 19,000 projects. Faker is deployed on more than 2,500 projects and received over 2.8 million downloads in the past week alone.

Projects using the libraries, which include the popular Amazon AWS cloud development kit, saw their applications write nonsense script on their consoles, under the lines LIBERTY LIBERTY LIBERTY. Users can get around the problem by downgrading to earlier versions of the two libraries.

Colors library sabotage: pay me a ‘six-figure’ salary says developer

The perpetrator, Marak Squires, added a new “American flag” module to the Colors library on Monday. The infinite loop triggered by the code will continue to print rubbish indefinitely, in the form of non-ASCII characters, on any consoles using applications with code from Colors. A sabotaged version of “6.6.6” of Faker was also published to Github.

It has been reported that Squires updated them maliciously to sabotage the libraries as well as their corresponding projects. He has previously published statements of his own frustration in donating free labour to open source communities, which are then used by companies who can afford to pay but contribute nothing to maintaining the libraries. In November 2020, Squires wrote: “Respectfully, I am no longer going to support Fortune 500s with my free work. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”

Responses to the effects of Squire’s malicious updates appeared online almost instantly. Most were in opposition to the act of sabotage. Cybersecurity expert Dr Vesselin Bontchev tweeted that the act was “irresponsible”, saying: “if you have problems with businesses using your free code for free, don’t publish free code.”

Is it time to stop using open source?

In the light of the Log4j vulnerability, which saw a flaw in an open source javascript widely exploited by cybercriminals, the subject of how secure open source actually is has been widely discussed. “Open source software does not owe you anything,” argues Boris Clipot, senior security engineer at Synopsys, which offers open source security tools. “While some open source projects are led or sponsored by companies, this is rarely the case. Often, developers work on components out of their own interest, and in their free time.”

This means that those using it cannot be sure that open source software is completely secure, says John Goodacre, professor of computer architectures at the University of Manchester. “Whether a developer reuses open source, or commercially sourced code in their project, there is always a risk that it can either perturb the expected behaviour of their application, as with the Colors and Faker libraries, or exposes their product to a cyber vulnerability, as with Log4j,” he says. “Some organisations can use code developed elsewhere for up to 85% of their projects.”

Despite these risks, businesses rely heavily on open source, with 89% of UK organisations that responded to OpenUK’s State of Open 2021 report saying they deploy open source software in their companies. And replacing these code libraries with a commercially developed equivalent would not necessarily improve matters, argues Quincy Larson, founder of coding non-profit organisation FreeCodeCamp. “Open source is more secure than closed source, because the code benefits from additional scrutiny,” he says. “Security issues are usually fixed quickly.”

Rather than getting irritated at the prospect of providing free labour for corporations, many open source developers are finding new ways to get payment for their endeavours. “They are seeking new ways to get compensated for their time, such as GitHub Sponsors, Patreon and a variety of blockchain projects,” he says.

The responsibility remains with companies using open source to retain control over the code by being involved in its production, explains Clipot. “If you are involved in the development, then you can also actively follow its risk development and will be able to react sooner rather than later,” he says. “You will also be given the opportunity to contribute to the success of the component and therefore, lower its operational risk generally.”