Open Source 2022-01-07 · 2 days ·Service Disruption, Data Destruction

colors.js npm maintainer sabotage broke apps

Part of the faker.js and colors.js sabotage broke apps campaign

The maintainer intentionally introduced an infinite loop and breaking changes into colors.js, a tiny library with millions of weekly downloads. The protest act printed strange characters, broke dependent applications, and caused denial of service in normal startup paths.

Story

colors.js was a small formatting library with a large dependency graph. In January 2022, the maintainer used normal project authority to publish releases that no longer behaved like a utility library.

The malicious change was simple and loud. The package printed protest text and then ran an infinite loop, causing dependent programs to hang or fail during ordinary execution. There was no exploit chain after install; the package itself became the payload.

The affected versions moved through npm as official releases, including the oddly named liberty build. Consumers pulled them by semver, by lockfile refresh, or through transitive dependencies that did not treat colors.js as a security boundary.

The package was repaired and users pinned back or upgraded away from the bad releases. The lesson was plain: a maintainer can convert a harmless transitive dependency into a production outage with one publish.

Affected Artifacts

colors.js

· repository · Source Archive
Observed
2022-01-07 to 2022-01-09
Compromised Versions
  • 1.4.1
  • 1.4.2
  • 1.4.44-liberty-2
Fixed
Not listed
Hashes
  • sha256:5bc0d3d47b85c20241bfb5a014f9c670db195b1341ee3f91c69b2243e6b7711c
  • sha256:764ff5d6f472e97de7196747741b9c4bc51186e9bf57690f4e68311df1ecfe92
  • sha256:c4175e9eecf0fb963b99e2d51a6f16bc8daf68c74378481a99092c8bb49c0b28

Incident Context

Motive
Disruption Protest
Attribution
Maintainer
Cause
Sabotage
Transitive
No
Actor
Author
User Impact
2000000

External References

Source record: oss/attacks/colors.js/meta.yaml