faker.js npm maintainer sabotage broke apps
Part of the faker.js and colors.js sabotage broke apps campaign
The maintainer of faker.js intentionally sabotaged the project, force-pushing an endgame commit and publishing version 6.6.6 to npm in a broken, largely non-functional state.
Story
faker.js was a common development dependency for generating test data. In January 2022, the maintainer used direct project control to push an "endgame" commit and publish version 6.6.6 to npm.
The package did not hide a credential stealer or loader. It broke the contract of the library. Consumers expecting names, addresses, and other generated data instead received a package that no longer served its normal API in a usable way.
The effect was amplified by dependency graphs. Projects that treated faker.js as a routine utility saw builds and applications fail after an ordinary dependency resolution step. The release channel did exactly what it was designed to do: distribute the maintainer's latest package.
The community moved the project under new stewardship at faker-js/faker and downstream users pinned, replaced, or upgraded dependencies. The incident remains useful because it separates provenance from safety: official code can still be hostile code.
Affected Artifacts
faker.js
- Observed
- 2022-01-04 to 2022-01-09
- Compromised Versions
-
- 6.6.6
- Fixed
- Not listed
- Hashes
-
- sha256:5234a5f7568a0d10977eeb898318c0f6567aeb1f2fa66939735e37a81f37bc39
- sha1:c05c10e95447f11b0f5c98470eacd713e9a9e497
- Evidence
- distribution: registry.npmjs.org/faker/-/faker-6.6.6.tgz, mirror: github.com/faker-js/faker/commit/c05c10e95447f11b0f5c98470eacd713e9a9e497, mirror: bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps, mirror: snyk.io/blog/open-source-npm-packages-colors-faker-sabotaged , +2 more
Incident Context
- Motive
- Disruption Protest
- Attribution
- Maintainer
- Cause
- Sabotage
- Transitive
- No
- Actor
- Author
- User Impact
- 2800000
External References
Source record: oss/attacks/faker.js/meta.yaml