Earlier this month, 2 libraries from the popular open-source NPM have been corrupted, intentionally, by their developer. Those recent commits are impacting numbers of applications from small to major companies.
The 2 targeted libraries are colors.js and faker.js. According to BleepingComputer, which released the news, all together they’d cumulate around 23 millions weekly downloads.
Behind these mischiefs, some claims or retaliations, which might result, or not, from the previous big issue within the open source world : log4j.
In order to fix this issue which impacted as well a large number of companies, maintainers and community members had to work over holidays without compensation.
Which is a huge paradox when, as said, major companies rely on those open-source projects and don’t give back anything.
Even if, in the large majority, open source projects and community members around have good intentions. This situation is a good reminder that you have to be careful and check upstream the quality of the code you’re using and not blindly download any packages.
And above all, slip a small donation for those maintaining and working for free for you to save precious time in your development.