The eccentric developer behind two immensely popular open-source NPM coding libraries recently corrupted them both with a series of bizarre updates — a decision that has led to the bricking of droves of projects that relied upon them for support.
Marak Squires is the creator behind the popular JavaScript libraries Faker and Colours — the likes of which are key instruments for developers in their various coding projects. To give you an idea of how widely used these are, Colours reportedly sees more than 20 million downloads a week and Faker gets about 2 million. Suffice it to say, they get a lot of use.
However, Squires recently made the bizarre decision to mess all that up when he executed a number of malicious updates that sent the libraries haywire — taking a whole lot of dependent projects with it. In the case of Colours, Squires sent an update that caused its source code to go on an endless repeating loop. This caused apps using it to emit the text “Liberty Liberty Liberty,” followed by a splurge of meaningless, garbled data, effectively crippling their functionality. With Faker, meanwhile, a new update was recently introduced that basically nuked the library’s entire code. Squires subsequently announced he would no longer be maintaining the program “for free.”
The whole episode, which sent developers that rely on both programs into panic mode, appears to have been first observed by researchers with Snyk, an open-source security company, as well as BleepingComputer.
According to those sources, some 20,000 coding projects rely on these libraries for their work and, as a result of the recent commits, many of them have now been effectively “bricked” — or, in layman’s terms, they’re fucked. (“Bricking” is the tech term for when a piece of hardware is corrupted via a software issue or other damage and becomes unusable.)
The most perplexing thing about this whole episode is that it’s not entirely clear why Squires did this. Some online commentators attributed the decision to a blog post he published in 2020, in which he railed against big companies’ use of open-source code from developers like himself. It’s true that corporate America tends to cut fiscal corners by exploiting freely available coding tools (just look at the recent log4j debacle, for example), though, if you’re an open-source coder, you would ostensibly know and expect that.
Indeed, the way in which Squires blitzed his libraries seems to defy simple explanation. For one thing, the commits that messed with the libraries were accompanied by odd text files that, in the case of the Faker update, referenced Aaron Swartz. Swartz is a well-known computer programmer who was found dead in his apartment in 2013 of an apparent suicide. Squires also made a number of other odd public references to Swartz around the time of the malicious commits.
“NPM has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz,” Squires tweeted on January 6. Days before the news broke about the mass bricking, Squires also tweeted about Swartz and shared a Reddit thread linking his death to recently convicted sex trafficker Ghislaine Maxwell.
The recent turn of events also spurred online speculation as to whether Squires is the same person who was charged for reckless endangerment in 2020, when a fire at a Queens apartment building owned by a “Marak Squires” led investigators to discover a stash of homemade bomb-making materials. A number of people commented on Squires’ apparent connection to this incident on Monday: “Personally I started removing all of Marak’s stuff from my projects whenever possible after this incident,” tweeted Nathan Peck, a developer at AWS Cloud, in reference to the “bomb” episode. “The dude is not stable, and I wouldn’t trust his code in anything.” However, Gizmodo was not able to find any independent corroboration that the bomb-Squires and coding-Squires are one and the same.
At any rate, it’s a very odd story — and one that doesn’t feel particularly resolved at this point. As such, we reached out to Squires for comment and will update this story if he replies.