faker.js npm maintainer sabotage broke apps

faker.js was a common development dependency for generating test data. In January 2022, the maintainer used direct project control to push an "endgame" commit and publish version 6.6.6 to npm.

The package did not hide a credential stealer or loader. It broke the contract of the library. Consumers expecting names, addresses, and other generated data instead received a package that no longer served its normal API in a usable way.

The effect was amplified by dependency graphs. Projects that treated faker.js as a routine utility saw builds and applications fail after an ordinary dependency resolution step. The release channel did exactly what it was designed to do: distribute the maintainer's latest package.

The community moved the project under new stewardship at faker-js/faker and downstream users pinned, replaced, or upgraded dependencies. The incident remains useful because it separates provenance from safety: official code can still be hostile code.

Motive

Disruption Protest

Attribution

Maintainer

Cause

Sabotage

Transitive

No

Actor

Author

User Impact

2800000

• faker.js issue discussing the endgame releasegithub.com
• Dev corrupts npm libs colors and faker breaking thousands of appsbleepingcomputer.com
• Open source npm packages colors and faker sabotagedsnyk.io
• faker.js and colors.js maintainer intentionally sabotages popular npm librariesblog.sonatype.com