What You Should Know About npm Packages 'colors' and 'faker'

What You Should Know About npm Packages 'colors' and 'faker'

Jan 12, 2022

On January 8, 2022, the open source maintainer of the wildly popular npm package colors, published colors@1.4.1 and colors@1.4.44-liberty-2 in which they intentionally introduced an offending commit that adds an infinite loop to the source code. The infinite loop is triggered and executed immediately upon initialization of the package’s source code, and would result in a Denial of Service (DoS) to any Node.js server using it.

Similarly, another popular npm package faker (known broadly as Faker.js), maintained by the same person. Faker is a project used by many developers to generative massive amounts of fake data, such that is commonly used in software testing practices.Respectively, the faker npm package version has been promoted to 6.6.6, and published to the public npmjs registry as an empty package which contains no source code.

Learn more in the blog: https://snyk.co/ueasN

📱Social Media📱
Twitter: https://twitter.com/snyksec
Facebook: https://www.facebook.com/snyksec
LinkedIn: https://www.linkedin.com/company/snyk
Website: https://snyk.io/