NPM: It's Spammers Party Time 🥳

thangaganapathy

Thanga Ganapathy

Posted on May 10, 2024

NPM: It's Spammers Party Time 🥳

Welcome,

As a Spammer of the registry (pun intended), I want to explain to you what's going on with the NPM registry and its management.

At first, I felt the title itself offensive or unlawful or disrespectful and also asked help from an AI chatbot, got the following results but I purposefully stayed with the same to get attention from both NPM and the dev community.

AI Chatbot: Certainly! Here are some alternative titles for your blog post on spammers in the NPM registry:

  1. “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam”

  2. “Guarding the NPM Gates: Strategies to Combat Registry Spam”

  3. “Unmasking the Shadows: Inside the World of NPM Registry Spammers”

Let's start with some basics and I request that you have a close look at the forthcoming screenshots.

What is NPM?

It is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc.

NPM numbers

Types of Spam

Let's list out some with my experience and a few real examples currently living in the registry.

  • Keyword Stuffing:

    Packages using irrelevant keywords to appear in more search results.

Keywords

  • Malicious Code:

    Packages containing harmful code or backdoors.

  • Rewarding decentralized protocol (New Type):

    These packages were created to get some incentives from the OSS block chain technology. You can learn more from here.

tea 1

tea 2

  • Fake Packages:

    Impersonating popular packages to deceive users.

  • Low-Quality Packages:

    Flooded with typos, irrelevant content, or empty functionality.

Low quality

  • Bot-Generated Packages:

    Automated spam submissions.

Bot generated

  • Phishing Attempts:

    Packages designed to steal sensitive information.

  • Dependency Spam:

    Malicious packages as dependencies of legitimate ones.

  • Hello World Packages (Low priority issue):

    The students & learners try their first-time packages.

hello world pkgs

  • Weird Packages:

    There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments.

google translator

  • Fancy Packages Control:

    These kinds of users acquire short package names.

fancy pkgs

cvv

NOTE: This list excludes security related malicious packages as they are often reported by the experts.

Some notable past incidents:

Some Spammers List

Here I am going to list out some of them because it is simply not possible to list all of them here. Also, with the number of packages published by each one.

  1. https://www.npmjs.com/~onedionysc - 6931

  2. https://www.npmjs.com/~shivamkalsi2024 - 997

  3. https://www.npmjs.com/~79w - 551

  4. https://www.npmjs.com/~ellentea - 599

  5. https://www.npmjs.com/~uirewikilabs - 323

  6. https://www.npmjs.com/~quinterochris100 - 361

  7. https://www.npmjs.com/~vanthuanbt26 - 250

  8. https://www.npmjs.com/~tiengiangb47 - 230

  9. https://www.npmjs.com/~swenkertreanpm - 227

  10. https://www.npmjs.com/~loandinhb931 - 224

These are my random picks and who knows how many of them are.

The Team's Response

team response 1

team response 2

team response 3

The Problem

The problem is not the spammers, as they always will be, but the real problem is within the management.

Take for example,

If someone reports this via one of your support forums, the reply they get is simply redirection; they are redirecting you to fill out their respective forms for spam submissions.

What if the reporter did not want to do extra work here?

The important thing to note here is that the spammers and their packages live happily even after we provide the absolute spam users and their package links.

Conclusion

I am writing this blog because I waited too long for them to fix it.

Justice delayed is justice denied

- William Blackstone

Please don't forget to check out our important Articles:

Happy coding! 🚀

🙏 Thanks for reading.

💖 💪 🙅 🚩
thangaganapathy
Thanga Ganapathy

Posted on May 10, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related