Skip to content
← Blog

Attack post-mortem

The colors and faker.js incident

Veln Team3 min read

Most supply chain incidents involve malicious actors attacking from the outside. The colors.js and faker.js incident in January 2022 was different: a maintainer deliberately broke their own packages as an act of protest. It wasn't an attack in the traditional sense, but it exposed the same underlying trust vulnerability that malicious attacks exploit.

Background

colors.js is an npm package for adding color to Node.js terminal output. At the time of the incident, it was downloaded approximately 24 million times per week. faker.js provides utilities for generating fake data — names, addresses, emails — for testing. It had approximately 2.5 million weekly downloads.

Both packages were maintained by Marak Squires. He had been the primary maintainer of colors.js for over a decade.

What happened

On January 8, 2022, Squires published new versions of both packages: colors@1.4.44-liberty-2 and faker@6.6.6. The changelogs for both referenced "Liberty Liberty Liberty" — an apparent reference to political frustration.

The new versions contained code that, when executed, would print an ASCII art banner ("LIBERTY LIBERTY LIBERTY") followed by an infinite stream of nonsensical characters to stdout. Any application that imported either package would hang or produce continuous garbage output.

Within hours, thousands of automated CI pipelines that auto-updated to the latest versions failed catastrophically. The issue reports began flooding in.

Why it spread so quickly

Both packages had large downstream dependency trees. Many projects that depended on them used version ranges (^1.4.0, ~6.6.0) in their package.json instead of pinned exact versions. npm install on a fresh checkout — or a CI pipeline that didn't use npm ci — would pull in the new broken versions automatically.

Projects that used npm ci with a committed lockfile were unaffected — their lockfile pinned the previous working versions.

npm's response

npm reverted both packages to earlier versions on the registry within hours, citing a violation of npm's terms of service (the intentional sabotage of a widely-used package).

Squires had also deleted the GitHub repositories for both packages. Later, he explained that his motivation was frustration with large companies using his open-source work for free without contributing back.

What this incident reveals

The trust model of package managers is personal. When you install a package, you're trusting not just the code that exists today, but all future code that the current maintainer might publish. Packages don't get security-audited between versions. The implicit contract is: this maintainer has been trustworthy in the past and will continue to be.

The "works today, broken tomorrow" attack surface. The colors/faker incident was noisy and quickly visible. A malicious actor with the same access — a maintainer account — could cause the same kind of immediate breakage invisibly, by publishing code that exfiltrates credentials instead of printing ASCII art. The mechanism is identical.

Version ranges are a liability. Every project that used "colors": "^1.4.0" instead of "colors": "1.4.2" was vulnerable to automatic installation of the broken version. Pinned exact versions, enforced with lockfiles and npm ci, were the complete protection.

How Veln handles this class of event

Veln's analysis pipeline would have caught the colors/faker versions at multiple points:

AST diff. The broken versions introduced code with an infinite loop — a while(true) construct that was not present in any previous version. Veln's diff analyzer flags new infinite loop constructs in non-test code as a structural anomaly (Diff delta — Rule 20: average behavior substantially different from previous version).

Canary sandbox. The sandbox would have executed the install and observed the package producing infinite output. The sandbox has a timeout; the package would not have exited cleanly, which produces a "suspicious" sandbox verdict.

Cooling gate. The version was published and could be installed immediately by projects with loose version ranges. Veln's cooling gate would have held the new version for 2 hours with zero community observations, regardless of content.

The broader lesson

The colors/faker incident is a useful reminder that supply chain security is not just about external attackers. Authorized maintainers are part of the trust surface. Veln's verification pipeline doesn't distinguish between "malicious actor who compromised an account" and "legitimate maintainer who decided to publish broken code." It treats any unexpected behavioral change as worth examining.

Veln's behavioral sandbox and diff analysis catch intentional breakage as readily as malicious attacks.

More in Attack post-mortem

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account