faker.js
faker.js NPM package maintainer sabotage breaks apps
The maintainer of faker.js intentionally sabotaged the project, force-pushing an endgame commit and publishing version 6.6.6 to npm in a broken, largely non-functional state. The protest disrupted a library with millions of weekly downloads and exposed how development, testing, and production systems can depend on unpaid maintainers as silent critical infrastructure.
- Date
- 2022-01-04 to 2022-01-09
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- source
- Impact
- Service Disruption
- Cause
- Sabotage
What Was Affected
Package
faker.js
LanguageJavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.org
Repository
github.com/faker-js/faker
Compromised Versions
Incident Context
- Motive
- Disruption/Protest
- Attribution
- Author
- Transitive
- No
- User Impact
- 2800000
- Observed Duration
- 5 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
- github.com/faker-js/faker/commit/c05c10e95447f11b0f5c98470eacd713e9a9e497
- bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps
- snyk.io/blog/open-source-npm-packages-colors-faker-sabotaged
- blog.sonatype.com/fakerjs-colorsjs-maintainer-intentionally-sabotages-popular-npm-libraries
Indicators and Changes
Hashes
sha256:5234a5f7568a0d10977eeb898318c0f6567aeb1f2fa66939735e37a81f37bc39sha1:c05c10e95447f11b0f5c98470eacd713e9a9e497
Commits
External References
Source Data
Source record: oss/faker.js/meta.yaml