colors.js
colors.js NPM package maintainer sabotage breaks apps
The maintainer intentionally introduced an infinite loop and breaking changes into colors.js, a tiny library with millions of weekly downloads. The protest act printed strange characters, broke dependent applications, and caused denial of service in normal startup paths. Its impact came from dependency gravity; small utilities can sit beneath enormous production surfaces.
- Date
- 2022-01-07 to 2022-01-09
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- source
- Impact
- Service Disruption
- Cause
- Sabotage
What Was Affected
Package
colors.js
LanguageJavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.org
Repository
github.com/Marak/colors.js
Compromised Versions
Incident Context
- Motive
- Disruption/Protest
- Attribution
- Author
- Transitive
- No
- User Impact
- 2000000
- Observed Duration
- 2 days
Evidence
Compromised Artifacts
- registry.npmjs.org/colors/-/colors-1.4.1.tgz
- registry.npmjs.org/colors/-/colors-1.4.2.tgz
- registry.npmjs.org/colors/-/colors-1.4.44-liberty-2.tgz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:5bc0d3d47b85c20241bfb5a014f9c670db195b1341ee3f91c69b2243e6b7711csha256:764ff5d6f472e97de7196747741b9c4bc51186e9bf57690f4e68311df1ecfe92sha256:c4175e9eecf0fb963b99e2d51a6f16bc8daf68c74378481a99092c8bb49c0b28
Commits
External References
Source Data
Source record: oss/colors.js/meta.yaml