Faker NPM package back on track after malicious coding incident

A new group of maintainers is proceeding with an ‘official’ version of the Faker JavaScript library after the previous maintainer went rogue.

Faker NPM package back on track after malicious coding incident
Gonin / Getty Images

In the wake of a recent incident that wreaked havoc on the NPM package registry, a new group of maintainers is reestablishing the Faker project, making it a community effort. The previous maintainer had sabotaged the Faker NPM package with malicious code, impacting more than 2,500 other NPM packages that depend on it.

The Faker JavaScript library generates mock data for testing and development. A group of engineers has created a GitHub repo for the new Faker package and released previous versions at @faker-js/faker on NPM.

On January 4, the previous maintainer committed malicious code to the Faker and colors libraries, causing an infinite loop that impacted thousands of projects. In response, GitHub, which oversees NPM, removed the malicious Faker and colors packages and suspended the user account in accordance with NPM malware policy. A security advisory pertaining to colors was published, as well.

Faker was first implemented in Perl in 2004. In a January 14 bulletin, the new maintainers announced a plan to improve Faker and released a version 6.x alpha. Items on the roadmap include:

  • ESM (ECMAScript modules) support
  • Improved testing infrastructure
  • Typegen docs
  • Engaging with existing maintainers of the Faker ecosystem
  • Providing an interactive playground within the docs
  • Node.js 18 compatibility

The Faker and colors incident was not the first time NPM had been impacted by dependencies among packages. In 2016, a developer’s unpublishing of a small JavaScript package broke dependencies for many other projects.

Copyright © 2022 IDG Communications, Inc.