Marak Squires is the maintainer of the ‘colors’ and ‘faker’ libraries. The two projects accumulate ~23 million weekly downloads and support ~23,000 projects. In January of 2022, he intentionally introduced an infinite loop that bricked every project relying on either one of these libraries.
Consequently, GitHub suspended the developer’s account.
The justification provided by the developer is one of retaliation to “Fortune 500s (and other smaller sized companies)” who extensively rely on cost-free and community-driven software but do not give back to the community. His actions are in line with an ultimatum he provided in November when stating that users of the project must ‘pay me or fork’ the project.
Responses to Marak’s actions have been mixed. Some members of the Open-source software (OSS) community have praised the developer’s actions. While others are unsympathetic and critical. From the actions, however, two things have become undeniable:
It is abundantly clear, the Open-source community is divided on what ‘Open-source’ represents, fundamentally; and
Developers, start-ups, small-businesses and corporations who leverage OSS must implement strict controls to protect themselves, their business and their customers.
Learning from Recent OSS Compromises
It should go without saying, but this recent corruption has underscored the need to emphasise key technical and security practices for working with OSS libraries.
None of this is new. At the start of 2020, the code-js project had 25 million weekly downloads, was critical to countless projects, and maintained by a single developer who is infamous ..
Support the originator by clicking the read the rest link below.
