Koçulu protested and eventually responded by removing all of his
code. That included left-pad, which meant that any chains of
programs that relied on Koçulu’s tool were suddenly broken. And
because some of the chains were so long, many developers hadn’t
realised they were so reliant on those eleven lines of code.
Koçulu’s work is just one example of computer code that has
spread much further than we might think. Soon after the left-pad
incident, software developer David Haney noted that another tool on
npm – which consisted of a single line of code – had become an
essential part of seventy-two other programs. He listed several other
pieces of software that were highly dependent on simple snippets of
code. ‘I can’t help but be amazed by the fact that developers are
taking on dependencies for single line functions that they should be
able to write with their eyes closed,’ he wrote.[36] Borrowed pieces
of code can often spread further than people realise. When
researchers at Cornell University analysed articles written with
LaTeX, a popular scientific writing software, they found that
academics would often repurpose each other’s code. Some files had
spread through networks of collaborators for more than twenty years.
[37]
As code spreads, it can also pick up changes. After those three
students posted the Mirai code online at the end of September 2016,
dozens of different variants emerged, each with subtly different
features. It was only a matter of time before someone altered the
code to launch a major attack. In early October, a few weeks before
the Dyn incident, security company RSA noticed a remarkable claim
on a dark net marketplace: a group of hackers was offering a way to
flood a target with 125 gigabytes of activity per second. For $75,000,
someone could buy access to a 100,000-strong botnet, which was
apparently based on some adapted Mirai code.[38] However, it
wasn’t the first time the Mirai code had changed. In the weeks before
they published the code, Mirai’s creators made over twenty
alterations, apparently in an attempt to increase the contagiousness
of their botnet. These included features that made the worm harder
to detect, as well as tweaks to fight off other malware that was