faker.js and colors.js sabotage broke apps
The faker.js and colors.js sabotage was a paired maintainer protest that broke two widely used npm libraries in early January 2022.
Story
The faker.js and colors.js failures came from the same place: maintainer control. No outside attacker needed to break accounts or infrastructure. The author controlled the projects and used that authority to publish or push code that downstream systems consumed as ordinary updates.
faker.js was pushed into an "endgame" state and npm received version 6.6.6, a package that no longer behaved like the widely used data generator developers expected. colors.js received releases that printed protest text and entered an infinite loop.
The damage was operational. Applications broke during install, startup, or test runs because a small transitive package had become active failure code. The event showed that maintainer sabotage is still a supply-chain failure when the official project channel carries the change.
Recovery was social as much as technical. The community forked faker under new stewardship, package managers and maintainers pinned or rolled back dependencies, and the incident became a standing example of why tiny libraries with huge dependency graphs still need release discipline.
Linked Attacks
2022
The maintainer intentionally introduced an infinite loop and breaking changes into colors.js, a tiny library with millions of weekly downloads. The protest act printed strange characters, broke dependent applications, and caused denial of service in normal startup paths.
The maintainer of faker.js intentionally sabotaged the project, force-pushing an endgame commit and publishing version 6.6.6 to npm in a broken, largely non-functional state.
Campaign Context
- Actor
- Author
- Attribution
- Maintainer
- Cause
- Unknown
Affected Packages
External References
Source record: oss/campaigns/faker-colors-sabotage-2022/meta.yaml