Marak Squires, author of the popular colors (node.js console coloring) and faker (dummy data generator for input fields) packages with 2.8 and 25 million weekly downloads, has posted new versions of his products to the NPM repository and GitHub, including destructive changes purposefully leading to failures at the stage of assembly and execution of dependent projects. As a result of Marak's actions, the work of many projects, including the AWS CDK using these libraries, was broken - the colors library is used as a dependency in 18953 projects, and faker is used in 2571.
The output of the text "LIBERTY LIBERTY LIBERTY" to the console and an infinite loop were added to the code of the "colors" library, blocking the work of dependent projects and outputting a stream of distorted words "tesing". The contents of the repository have been removed from the faker library, .gitignore and .npmignore files have been added to the "endgame" commit to exclude project files, and the question "What really happened to Aaron Schwartz" has been posted instead of the contents of the README file. Issues are present in colors 1.4.1+ and faker 6.6.6.
In response to the actions taken, GitHub blocked Marak's access to his repositories (90 public + several private), and NPM rolled back the malicious version of the package. At the same time, the legality of GitHub's actions raises questions, since the removal of code by a developer from one of their repositories cannot be considered a violation of the rules of the service. Moreover, in the text of the license for the colors and faker packages, the absence of any guarantees and obligations regarding the performance of the code is clearly indicated.
Interestingly, the first stop development warning was posted over a year ago. In September 2020, Marak lost all his property due to a fire, after which, in early November, in an ultimatum form, he called on commercial companies using his projects to finance the continuation of development, otherwise he promised to stop support, since he did not intend to work for free anymore. Prior to the incident, the latest version of colors was released two years ago, and faker was released 9 months ago.
As for the motives for making destructive changes to the packages, Marak is likely trying to teach a lesson to corporations that use the work of the free software community but return nothing in return, or draw attention to the rethinking of the circumstances of the death of Aaron Schwartz. Aaron committed suicide after a criminal case was brought against him for copying scientific articles from a paid JSTOR database, advocating the idea of ββproviding free access to scientific publications. Aaron was charged with computer fraud and illegally obtaining information from a secure computer, the maximum sentence for which was 50 years in prison and a fine of one million dollars (if a court agreement was reached and the charges were admitted, Aaron had to serve 6 months in prison).
It is believed that Aaron, amid depression, could not withstand the pressure of the judicial system and the injustice of the charges (he was threatened with 50 years in prison just because he downloaded the contents of a database of scientific articles, which, in his opinion, should be distributed without restriction). Marak Squires, in a question about Aaron's death posted instead of a deleted code, and in a post on Twitter, alludes to an unconfirmed conspiracy theory, according to which Aaron Schwartz found some documents in the MIT archive that defame certain important people, and he was killed for this, disguising the advent as suicide (tomorrow it will be 9 years since Aaron passed away).
Source: opennet.ru