article featured image


The default package manager for the JavaScript runtime environment Node.js is npm. It is actually made of a command-line client, also known as npm, and an online database of public and paid-for private packages known as the npm registry.

The registry is accessed via the client, and the available packages may be viewed and searched via the npm website. npm, Inc. manages the package management and the registry.

What Happened?

Users of the popular open-source libraries ‘colors’ and ‘faker’ were caught off guard when they saw their apps, which used these libraries, display gibberish data, and crash.

Some speculated whether the NPM libraries had been hacked, but it turns out that there’s a lot more to the story.

The creator of these libraries purposefully included an indefinite loop, which bricked hundreds of applications that rely on ‘colors’ and ‘faker.’

The colors library has over 20 million weekly downloads on npm alone, and it is used by around 19,000 applications. Faker, on the other hand, has over 2.8 million weekly downloads on npm and over 2,500 dependencies.

The author of the popular open-source NPM libraries ‘colors’ (as ‘colors.js’ on GitHub) and ‘faker’ (aka ‘faker.js’ on GitHub) purposefully injected malicious commits in them, affecting millions of apps that rely on these libraries.

Users of popular open-source projects, such as Amazon’s Cloud Development Kit (aws-cdk), were surprised yesterday when their apps displayed incomprehensible messages on their consoles.

The word ‘LIBERTY LIBERTY LIBERTY’ was followed by a sequence of non-ASCII characters:


Users first assumed that the libraries ‘colors’ and ‘faker’ used by these projects had been hacked [1, 2, 3], similar to how hostile actors hijacked the coa, rc, and ua-parser-js libraries last year.

BleepingComputer reported that the developer behind colors and faker appears to have knowingly committed the code responsible for the significant error.

Marak Squires, the developer, introduced a “new American flag module” to the colors.js library yesterday in version v1.4.44-liberty-2, which he subsequently published to GitHub and npm.

The code’s infinite loop will continue to run indefinitely, outputting the nonsense non-ASCII character sequence on the console for all apps that require ‘colors.’

What Was the Reason Behind This Action?

This mischief appears to be retaliation against mega-corporations and commercial users of open-source projects that heavily rely on free and community-powered software, but are not contributing back to the community.

Marak stated back in November 2020 that he will no longer be providing “free work” to large businesses and that commercial entities should consider either forking the projects or compensating the developer with an annual “six-figure” income.

Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work.

There isn’t much else to say.

Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.


As reported by BleepingComputer, the users of ‘colors’ and ‘faker’ NPM projects should ensure they are not using an unsafe version. Downgrading to an earlier version of colors (e.g. 1.4.0) and faker (e.g. 5.5.3) is one solution.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *