Why Did a Developer Sabotage Popular npm Packages Colors and Faker?

“Is deleting your own code from GitHub a violation of their Terms of Service? WTF? This feels like kidnapping.”

Recently many developers woke up to see their programs outputting only garbled characters. The common factor was the use of two popular open‑source npm libraries, colors and faker , which together receive millions of weekly downloads.

Initially users suspected a supply‑chain attack similar to previous compromises of coa , rc , and ua‑parser‑js . The maintainer of the libraries, Marak Squires, had just published colors v1.4.44‑liberty‑2 and faker 6.6.6.

In the new colors version Marak inserted an infinite loop that prints a long sequence of non‑ASCII “Zalgo” characters and an ASCII representation of the U.S. flag every time the library is loaded, effectively crashing thousands of dependent projects.

The colors package alone receives over 20 million weekly downloads on npm, with nearly 19 000 projects depending on it; faker sees more than 2.8 million weekly downloads and is used by over 2 500 projects.

Developers initially feared that the libraries had been compromised, similar to past incidents involving coa , rc , and ua‑parser‑js . After examining the commit history, they discovered that Marak added a “new American flag module” to colors.js in the v1.4.44‑liberty‑2 release.

The added code creates an infinite loop that continuously prints non‑ASCII “Zalgo” text and the phrase “LIBERTY LIBERTY LIBERTY”, effectively rendering any program that depends on colors unusable.

Marak also altered the faker repository’s README and posted a cryptic “endgame” message, referencing activist Aaron Swartz and demanding six‑figure salaries for “free work”.

The open‑source community reacted sharply: some developers understood Marak’s protest against corporate exploitation of free code, while others condemned the sabotage as irresponsible.

Information‑security expert VessOnSecurity described the behavior as “truly irresponsible”.

NPM has rolled back the faker.js package to the previous version, and GitHub has temporarily suspended the author’s access to all public and private projects.

GitHub eventually suspended Marak’s accounts for violating the platform’s terms of service.

The incident reignited discussion about the broader “Log4j”‑style supply‑chain risks, with studies showing over 60 000 open‑source projects on GitHub contain more than 300 000 vulnerable packages, affecting the majority of enterprise systems.

The episode underscores the tension between large corporations that profit from free open‑source software and the developers who receive little or no compensation for their contributions.