Deliberately infected JavaScript libraries and disabled thousands of apps

last week, Marak SquiresThe developer of two major JavaScript libraries, with more than 21,000 affiliate applications and 22 million weekly downloads, updated the two projects a year later. However, the updates contained malicious code that, by generating infinite loop, caused the applications associated with the two libraries to crash and generate endless chains of incomprehensible words that began with three lines of the word: “Liberty,” meaning “freedom.” .

This deliberate sabotage created a huge wave of chaos and panic in the developers’ association, whose applications were now down and everyone was trying to save their damaged projects in any way possible.

What exactly was the story about?

Marak Squires is the creator of two popular open source JavaScript libraries called Faker and Colors, which provide important and useful tools to developers around the world for free. The faker.js library, which generates dummy data for experimental browsers, with more than 2,500 dependent applications each week.٫The 5 million downloads on the npm website were a subset of GitHub. The colors.js library, which adds color to JavaScript consoles, is about 22٫It had 4 million downloads per week and more than 19,000 projects are affiliated with it.

Squares added a destructive comite to colors.js last week in the form of a “new module for the American flag” and updated the faker.js library to version 6.6.6 last year after making no changes to these libraries. With this destructive update, developers using the code of these two libraries for their projects got into trouble, and their applications suddenly started producing endless strings of obscure words containing three duplicate lines of the word “LIBERTY” meaning “freedom”.

What was the motive of Marrak Squires for this deliberate sabotage?

Squires’ motives for infecting its libraries with malicious code and harassing thousands of developers are unclear; But you can guess. The programmer, along with the update, asked in the readme file: “Sir Aaron Swartz “What exactly happened?”

Aaron Swartz Known to some as the “Internet Boy,” he was a genius programmer who contributed to the development of the RSS feed standard at the age of 14. He also played a major role in designing the open library architecture, launching the nonprofit Creative Commons, and developing the Infogami platform; A platform that was later integrated with Reddit.

In addition, Aaron was a hacktivist who believed in freedom of information on the Internet. By the same token, in 2010, by connecting to the MIT network and using scripts, he illegally downloaded millions of paid articles from JSTOR, the digital archive of scientific journals and journals, to place them for free use on other websites.

Aaron committed suicide a month before the trial; A court sentenced him to a maximum of $ 1 million in fines and more than 35 years in prison if convicted. However, the question “What exactly happened to Sir Aaron Swartz?” Mark Squires seems to be one of those people who thinks Aaron’s death was not a suicide.

Squires in Tweet He also repeated the question and linked to a page on Reddit where a user claimed that Swartz had been killed for discovering child sexual abuse content on MIT servers. One of the posts on this page, which has now been deleted, read:

All those involved in Swartz’s case point to the fact that he lost his life in a heroic act to expose sexual perversions that had penetrated the hearts and minds of the world’s elites.

Aside from Aaron Swartz and conspiracy theories, some on the Internet speculate that Marc Squires may have been the programmer of his apartment, which caught fire in 2020. .

One of the users in Tweet Wrote that after this incident, he removed all the squires code from his projects; Because this person does not have “intellectual stability”. Although there is no strong evidence to prove the connection between the two, Marak himself a month after the fire in Tweet “I lost all my belongings in the fire in my house,” he wrote, and asked his followers for financial help.

Still, the story does not end there. Squires acknowledged in a November 2020 article in Gathab that he no longer wanted to work for free:

Sincerely, I no longer want to support Fortune 500 and other smaller companies with my freelance work. Either sign a six-digit annual contract with me or let someone else work on the project.

With this bold move, Squires sought to draw attention to the moral and financial dilemma of open source projects. Many websites, software, and applications rely on textbook projects to develop tools and other essential components that are completely free. In addition, many developers are voluntarily developing these projects around the clock and solving problems and vulnerabilities that sometimes confuse the entire Internet to the extent of Log4j vulnerabilities.

The dilemma of open source projects

Related article:

Big, lucrative companies like Fortune 500, which Squires mentions, use open source ecosystems at no cost, and do not sponsor developers who work tirelessly on these projects.

Problems of Open Source Project

The fact that a single developer can pose such a major problem to such a wide range of apps and companies clearly illustrates the fundamental weakness of the free and open source platform structure. Now add common vulnerabilities to developers’ intentional malfunctions that remain hidden from developers.

Under these circumstances, you understand very well how endangered this ecosystem is, with all its advantages. Perhaps the next incident will have much wider dimensions; But before that, has anyone thought of a fundamental solution to the problems of open source platforms?

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker