16
nibor
3y

Gotta love npm open source packages

A developer appears to have purposefully corrupted a pair of open-source libraries on GitHub and software registry npm — “faker.js” and “colors.js”

https://snyk.io/blog/...

https://theverge.com/platform/amp/...

https://github.com/Marak/colors.js/...

Comments
  • 9
    And that was because he was frustrated that he didn't get paid. Imagine if such people got an offer - not from the industry, but from malware gangs.

    But hey, it's sooooo easy to pull in thousands of dependencies by random strangers from all over the internet! What could possibly go wrong?
  • 6
    Well, good luck finding someone who pays now.
  • 3
    @Fast-Nop That developer had some issues for the last couple of years, both financially and mentally. Just look at his tweets and posts on some OSS forums... Apparently being unable to profit from MIT-licenced OSS can drive people crazy
  • 3
    @hitko Well yeah, and with a sufficiently high number of dependencies, the probability of one dev going crazy is about 100%. It's not even the first time, either. Remember the NPM leftpad incident?
  • 3
    @Fast-Nop Not exactly the same, in this particular case the developer was already known for making bombs in his basement and burning down the house, which is why he was suddenly so desperate to make money from his popular OSS libs. https://nypost.com/2020/09/...
  • 2
    @hitko "The landlord (...) stumbled upon some suspicious packages"

    - I bet! SCNR
  • 3
    @Fast-Nop Look, this fire happened a few months after the guy already made a scene on twitter about quitting OSS and expecting a six-figure offer. He's been injured, but didn't seek medical help until landlord called the police. Then he makes a scene on twitter (again) about needing money and being screwed over by people using his MIT-licenced OSS. A year later, her tries to terrorise the internet by destroying the software he hasn't touched since 2019. Even if the landlord was somehow involved, the whole thing is on a level of its own.
  • 3
    @hitko what's your opinion of his blog post about trying to contact Retool that was blatantly stealing his work and the CEO ignoring his requests for payment?

    Link of blog post
    https://web.archive.org/web/...
  • 2
    @hitko who could have known that OSS was unprofitable?!
  • 3
    @hitko I am so fucking glad I didn't use his package then.
  • 4
    @hitko This is why there needs to be a legal-light class/website to explain licenses to people. Or people need to read that damn things. Sounds like he had way more other issues though, and the lack of profit was an excuse to blame.
  • 3
    @iSwimInTheC you'd have to read the contract of the service to know if it was stealing or not. Those were the guys who paid for the service so maybe it was not clear what is part of the license and what is not.
  • 4
    I've had this happen to my (MIT-licensed) Soundcloud Downloader Clean user script: https://greasyfork.org/en/scripts/.... A few days after I uploaded the 2nd version to greasyfork, this guy copied it and republished under another name, after slightly tweaking the code: https://greasyfork.org/en/scripts/....

    I decided I didn't care and didn't report it. But if you really don't want someone else running away with the merit and profit of your product, license it as GPL, or LGPL so it can at least be used as a library in a commercial project
  • 1
    I hope I can device an escape route out of nodejs by the end of the year.
    The problem is that the frontend is cursed to be JavaScript forever.
  • 2
    Ironically, maintainer here is a faker himself. Why would you endorse such simple license in the first place if you wanted product to be monetized? Good luck getting funds after cutting bridge! Bad PR is a PR, amirite.
  • 1
    Meanwhile:

    This is popcorn reading time!

    FUCK YOU THEVERGE for not being cookie-policy compliant.
Add Comment