Developer Bricks Open-source apps Colors and Faker, causes chaos

Photo: Matic Zorman (Getty Images)

The eccentric developer behind two hugely popular open-source NPM encoding libraries recently corrupted them both with a series of bizarre updates – a decision that led to the bricklaying of countless projects that relied on them for support.

Marak Squires is the creator behind the popular JavaScript libraries fake and colors— things like this are important tools for developers in their various coding projects. To give you an idea of ​​how widespread these are, Colors Reportedly sees over 20 million downloads per week and Faker gets about 2 million. Suffice it to say that they are widely used.

However, Squires recently made the bizarre decision to screw all that up when he ran a bunch of malicious updates that messed up the libraries – and spawned a bunch of dependent projects. In the case of Colors, Squires sent an update that caused the source code to go into an endless repeating loop. This caused apps to use it to broadcast the text “Liberty Liberty Liberty” followed by a splurge of meaningless, unreadable data, effectively crippling their functionality. With Faker, a new update was recently introduced that basically destroys the entire code of the library. Squires then announced that he would no longer maintain the program “free”.

The entire episode, which sent developers relying on both programs into panic mode, appears to have been first observed by researchers with snyk, an open-source security company, and also BleepingComputer.

According to those sources, some 20,000 coding projects rely on these libraries for their work, and as a result of the recent commits, many of them are now effectively “bricked” — or, in layman’s terms, they’re fucked. (“Bricking” is the technical term for when a piece of hardware is damaged by a software glitch or other damage and becomes unusable.)

The most mind-boggling thing about this entire episode is that it’s not entirely clear why Squires did this. Some online commentators attributed the decision to a blog post he published in 2020 ranting against the use of open source code by big developers like himself. It’s true that corporate America tends to slacken fiscal austerity by exploiting freely available encryption tools (just look at the recent log4j debacle, for example), but if you’re an open-source coder, you’d ostensibly know and expect that.

Indeed, the way Squires blitzed its libraries seems to defy simple explanation. For starters, the commits messing with the libraries were accompanied by strange text files that, in the case of the Faker update, referenced Aaron Swartz. Swartz is a well-known computer programmer who Found dead in his apartment in 2013 of an apparent suicide. Squires also made some other strange public references to Swartz around the time of the evil commit.

“NPM has reverted to an earlier version of the faker.js package and Github has suspended my access to all public and private projects. I have hundreds of projects. #AaronSwartz‘ tweeted Squires on Jan. 6. Days before the mass bricklaying news broke, Squires also tweeted about Swartz and shared a Reddit thread links his death to recently convicted sex trafficker Ghislaine Maxwell.

The recent turn of events also sparked online speculation as to whether Squires is the same person charged for reckless danger in 2020, when a fire in a Queens apartment building owned by a ‘Marak Squires’ led researchers to discover a stash of homemade bomb-making materials. A number of people on Monday commented on Squires’ apparent connection to this incident: “Personally, after this incident, I started removing all Marak’s stuff from my projects whenever possible,” tweeted Nathan Peck, a developer at AWS Cloud, refers to the “bomb” episode. “The guy is not stable and I wouldn’t trust his code in anything.” However, Gizmodo could not find independent confirmation that the bomb Squires and coding Squires are one and the same.

In any case, it’s a very strange story – and one that doesn’t feel quite resolved at the moment. As such, we have reached out to Squires for comment and will update this story if he replies.

Stay tuned for more such real estate news and updates at

Leave a Comment