NPMs Sabotaged as OSS Sustainability Crisis Continues

A long-running debate about the sustainability of small open source projects moved beyond theory when two widely used modules of open source node (npm) were vandalized this week, by a core contributor.

Colors.js is an npm downloaded over 3.3 billion times, with over 19,000 projects based on it. Meanwhile, Faker has been redeemed 272 million times, with more than 2,500 projects relying on it. Colors.js enables organizations to print color text messages to the console, while a faker is used to generate fake data for testing applications. Developers who pulled the recently published version of Colors.js found their apps stuck in an infinite loop, printing ‘LIBERTY’ ‘LIBERTY’ followed by a sequence of non-ASCII-compliant characters. In the meantime, the functional code has also been removed from Faker.

Ax Sharma, chief security researcher at Sonatype, an open source software security platform provider, noted that these actions occurred in the wake of a series of zero-day vulnerabilities that affected the widely used Log4j logging tool for Java applications. Sharma first reported the update issues with Color.js and Faker.

The small team of contributors working on the Log4j project found themselves creating multiple package updates to address vulnerabilities of varying severity in the list of Common Vulnerabilities and Exposures (CVEs). Sharma said there is some controversy, however, about how many of those vulnerabilities justify its inclusion in the CVE list given their seriousness.

This problem has now emerged as a flashpoint for contributors to smaller open source projects. These contributors assert that larger organizations benefit from their efforts without making any significant contributions to a project in return, let alone compensating any of the contributors for their time and effort. Sharma explained that the recent updates to national operating systems are, essentially, a statement of protest.

It’s not clear if other contributors to the small open source projects might follow suit, but debate over the sustainability of these projects has raged. Many contributors to open source software assume that organizations using the free software they create should have a responsibility to secure it. The “user beware” approach to security is understandable to contributors who have not been compensated for their efforts. However, when you are asked to correct open source projects used by multi-billion dollar organizations – and do so on an urgent and urgent basis – resentment among these volunteer contributors rises sharply.

Fortunately, some efforts are being made to address these issues. The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, has raised $10 million to help administrators adopt best practices and better protect open source projects from malicious code. Google has pledged $1 million to help open source developers comply with National Institute of Standards and Technology (NIST) guidelines in response to the Biden administration’s recent executive order on cybersecurity. Managed as beta software by the Linux Foundation, the effort is part of a larger $10 billion commitment previously made by Google to open source security.

And White House National Security Adviser Jake Sullivan recently sent a letter to major software companies and developers inviting them to discuss initiatives to improve the security of open source software. The first step is a one-day discussion this month hosted by Anne Neuberger, deputy national security adviser for electronic and emerging technology. In the letter, Sullivan specifically noted that while open source software has accelerated the pace of innovation, volunteers are keeping a lot of it. He noted that this is now a major national security concern.

It is not clear how the emerging open source sustainability crisis will end. However, DevOps teams may want to consider the extent to which they rely on open source projects whose contributors may have issues with how their work is exploited.

Leave a Comment