How a Rogue Developer Ruined Millions of Software (happened this weekend)

TLDR: A software developer who made some highly used open-source software, decided to go rogue and inject a bug into his software, making it usable. This affected every other dependency (and developer) using his software.

Bug Breaks my Software Deployment

Over the weekend, I was deploying some software (to Firebase) with CI/CD pipelines. But for some reason, the pipelines were failing. The failure occurred at this stage of my GitHub Actions workflow:

- uses: FirebaseExtended/action-hosting-deploy@v0

with:

repoToken: ‘${{ secrets.GITHUB_TOKEN }}’

firebaseServiceAccount: ‘${{ secrets.FIREBASE_SERVICE_ACCOUNT_ANTHONYDELLAVECCHIA }}’

channelId: live

projectId: anthonydellavecchia

entryPoint: “./anthonyjdella”

This is the visual representation of my failed pipeline:

I then went over to the Firebase Extended Github repo to see if anyone else was having similar issues. And yep, many others were experiencing the same issue:

(link)

Rogue Developer, Marak

Well, it turns out, Action-hosting-deploy was using a dependency called colors, created by Marak (the rogue developer), which is a tool that colors and styles your node.js console. This npm package gets over 20 million downloads per week, so it's very popular!

So what? Well, Marak, the creator of colors (mentioned above) added some code into his project to purposely break it. He added an infinite loop to purposely break his code!

link to Marak’s evil commit

This is very much intentional and not an accidental bug. It was malicious.

Why is Breaking his own Software Bad?

You may be wondering why breaking his own software is bad? Well, Marak knows that his software is being used by other software. So if his breaks, so will theirs. Think of it as a chain reaction. If his breaks, other software that uses it will break too. Because of “dependency hell”, this affects millions of developers.

Why Did Marak Do This?

Marak was upset that corporations were using his open-source software and not paying for it. It’s basically that simple. He posted an article on his blog.

How Do You Fix It?

If your software was using colors, you would have to revert to the previous (non-broken) version. But because of this developer’s poor work, you should definitely use another package instead. Chalk is another alternative that is recommended.

It’s really important to have a dependency management system in place for your projects. Tools like Snyk], or SonarQube will help you detect dependency issues so you can quickly resolve them.

For more information:

- https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colors-and-faker-now-what/

- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Thanks for reading! 🙌

Check out more articles @anthonydellavecchia.com!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store