{"id":1782,"date":"2022-01-10T13:33:24","date_gmt":"2022-01-10T05:33:24","guid":{"rendered":"https:\/\/tongwing.woon.sg\/blog\/?p=1782"},"modified":"2022-01-10T13:33:24","modified_gmt":"2022-01-10T05:33:24","slug":"dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps","status":"publish","type":"post","link":"https:\/\/tongwing.woon.sg\/blog\/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps\/","title":{"rendered":"Dev corrupts NPM libs &#8216;colors&#8217; and &#8216;faker&#8217; breaking thousands of apps"},"content":{"rendered":"<p>Previously we had attackers using <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/popular-coa-npm-library-hijacked-to-steal-user-passwords\/\">hijacked npm libraries<\/a> to steal credentials. In this case the libraries or the maintainer wasn&#8217;t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There&#8217;s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps\/\"><img decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/tongwing.woon.sg\/blog\/wp-content\/uploads\/2022\/01\/faker-liberty.jpeg\" alt=\"\" \/><\/a><\/p>\n<blockquote><p>Users of popular open-source libraries &#8216;colors&#8217; and &#8216;faker&#8217; were left stunned after they saw their applications, using these libraries,\u00a0printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there&#8217;s more to the story.<\/p><\/blockquote>\n<p>Source: <em><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps\/\">Dev corrupts NPM libs &#8216;colors&#8217; and &#8216;faker&#8217; breaking thousands of apps<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn&#8217;t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There&#8217;s no easy solution to this dependency problem. For now use pinned [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,8,10],"tags":[],"_links":{"self":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1782"}],"collection":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/comments?post=1782"}],"version-history":[{"count":1,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1782\/revisions"}],"predecessor-version":[{"id":1784,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1782\/revisions\/1784"}],"wp:attachment":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/media?parent=1782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/categories?post=1782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/tags?post=1782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}