Rapid Response: Finding NPM libs 'colors' and 'faker'

By

On January 9, 2022, journalist and researcher Ax Sharma wrote an article, "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps".

From Ax

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.

The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.' 

The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

JupiterOne response to our clients

We have created a set of J1 queries for our customers to quickly find if they are using the affected libraries. If you aren't using J1 yet, you can get a free lifetime license and run the queries immediately. 

To ingest NPM dependency data into your graph, you could use the npm-inventory script from our secops-automation-examples repo.

Find vulnerable 'faker' packages

This query searches for known-vulnerable npm 'faker' packages:

Find npm_package
with displayName='faker'
that USES as u CodeRepo
where u.version='6.6.6'
return TREE

 

Find vulnerable 'colors' packages

This query searches for known-vulnerable npm 'faker' packages:

Find npm_package
with displayName='colors'
that USES as useRelationship CodeRepo
WHERE useRelationship.version = ('1.4.2' OR '1.4.1' OR '1.4.44-liberty-2')
return TREE

 

If you'd like to be notified as more Rapid-Response announcements are created, please sign up for the newsletter. 

JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

Best of Cyber Therapy, Season 1
January 25, 2023
Blog
Best of Cyber Therapy, Season 1

Take a look at the top 5 episodes from Season 1 of Cyber Therapy, a video podcast featuring the humans of cybersecurity!

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.