379 reads

It's Party Time For NPM Spammers🥳

by Thanga GanapathyMay 17th, 2024

Too Long; Didn't Read

The NPM registry is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc. There are many types of spam in the registry, including fake, malicious, and low-quality packages. NPM is a decentralized protocol (New Type) with incentives from OSS blockchain technology.

featured image - It's Party Time For NPM Spammers🥳

Welcome,

As a Spammer of the registry (pun intended), I want to explain to you what's going on with the NPM registry and its management.

At first, I felt the title `It's Party Time For NPM Spammers🥳` was offensive, unlawful, or disrespectful, and I also asked for help from an AI chatbot. I got the following results, but I purposefully stayed with the same to get attention from both NPM and the dev community.

AI Chatbot: Certainly! Here are some alternative titles for your blog post on spammers in the NPM registry:

“Navigating the Murky Waters: A Deep Dive into NPM Registry Spam”
“Guarding the NPM Gates: Strategies to Combat Registry Spam”
“Unmasking the Shadows: Inside the World of NPM Registry Spammers”

Let's start with some basics. I request that you take a close look at the forthcoming screenshots.

What is NPM?

It is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc.

Types of Spam

Let's list out some with my experience and a few real examples currently living in the registry.

Keyword Stuffing:

Packages using irrelevant keywords to appear in more search results.
Malicious Code:

Packages containing harmful code or backdoors.
Rewarding decentralized protocol (New Type):

These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here.
Fake Packages:

Impersonating popular packages to deceive users.
Low-Quality Packages:

Flooded with typos, irrelevant content, or empty functionality.
Bot-Generated Packages:

Automated spam submissions.
Phishing Attempts:

Packages designed to steal sensitive information.
Dependency Spam:

Malicious packages as dependencies of legitimate ones.
Hello World Packages (Low priority issue):

The students & learners try their first-time packages.
Weird Packages:

There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments.

Fancy Packages Control:

These kinds of users acquire short package names.

NOTE: This list excludes security related malicious packages as they are often reported by the experts.

Some notable past incidents:

Some Spammers List

Here, I am going to list some of them because it is simply not possible to list all of them here, also, with the number of packages published by each one.

https://www.npmjs.com/\~onedionysc - 6931
https://www.npmjs.com/\~shivamkalsi2024 - 997
https://www.npmjs.com/\~79w - 551
https://www.npmjs.com/\~ellentea - 599
https://www.npmjs.com/\~uirewikilabs - 323
https://www.npmjs.com/\~quinterochris100 - 361
https://www.npmjs.com/\~vanthuanbt26 - 250
https://www.npmjs.com/\~tiengiangb47 - 230
https://www.npmjs.com/\~swenkertreanpm - 227
https://www.npmjs.com/\~loandinhb931 - 224

These are my random picks, and who knows how many of them are.

The Team's Response

The Problem

The problem is not the spammers, as they always will be, but the real problem is within the management.

Take, for example:

If someone reports this via one of your support forums, the reply they get is simply redirection; they are redirecting you to fill out their respective forms for spam submissions.

What if the reporter did not want to do extra work here?

The important thing to note here is that the spammers and their packages live happily, even after we provide the absolute spam users and their package links.