Welcome, As a Spammer of the registry (pun intended), I want to explain to you what's going on with the NPM registry and its management. At first, I felt the title `It's Party Time For NPM Spammers🥳` was offensive, unlawful, or disrespectful, and I also asked for help from an AI chatbot. I got the following results, but I purposefully stayed with the same to get attention from both NPM and the dev community. AI Chatbot: Certainly! Here are some alternative titles for your blog post on spammers in the NPM registry: “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam”
“Guarding the NPM Gates: Strategies to Combat Registry Spam”
“Unmasking the Shadows: Inside the World of NPM Registry Spammers” Let's start with some basics. I request that you take a close look at the forthcoming screenshots. What is NPM? It is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc. Types of Spam Let's list out some with my experience and a few real examples currently living in the registry. Keyword Stuffing:
Packages using irrelevant keywords to appear in more search results.



Malicious Code:
Packages containing harmful code or backdoors.


Rewarding decentralized protocol (New Type):
These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here.




Fake Packages:
Impersonating popular packages to deceive users.


Low-Quality Packages:
Flooded with typos, irrelevant content, or empty functionality.



Bot-Generated Packages:
Automated spam submissions.



Phishing Attempts:
Packages designed to steal sensitive information.


Dependency Spam:
Malicious packages as dependencies of legitimate ones.


Hello World Packages (Low priority issue):
The students & learners try their first-time packages.



Weird Packages:
There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments. Fancy Packages Control:
These kinds of users acquire short package names. NOTE: This list excludes security related malicious packages as they are often reported by the experts. Some notable past incidents: https://www.sonatype.com/resources/blog/npm-flooded-with-748-packages-that-store-movies
https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html
https://thehackernews.com/2023/08/malicious-npm-packages-found.html Some Spammers List Here, I am going to list some of them because it is simply not possible to list all of them here, also, with the number of packages published by each one. https://www.npmjs.com/\~onedionysc - 6931


https://www.npmjs.com/\~shivamkalsi2024 - 997


https://www.npmjs.com/\~79w - 551


https://www.npmjs.com/\~ellentea - 599


https://www.npmjs.com/\~uirewikilabs - 323


https://www.npmjs.com/\~quinterochris100 - 361


https://www.npmjs.com/\~vanthuanbt26 - 250


https://www.npmjs.com/\~tiengiangb47 - 230


https://www.npmjs.com/\~swenkertreanpm - 227


https://www.npmjs.com/\~loandinhb931 - 224 These are my random picks, and who knows how many of them are. The Team's Response The Problem The problem is not the spammers, as they always will be, but the real problem is within the management. Take, for example: If someone reports this via one of your support forums, the reply they get is simply redirection; they are redirecting you to fill out their respective forms for spam submissions. What if the reporter did not want to do extra work here? The important thing to note here is that the spammers and their packages live happily, even after we provide the absolute spam users and their package links. Conclusion I am writing this blog because I waited too long for them to fix it. Justice delayed is justice denied
- William Blackstone Please don't forget to check out our important Articles: Introducing Our New JavaScript Standard Library
You Don’t Need JavaScript Native Methods! Happy coding! 🚀 🙏 Thanks for reading. Welcome, As a Spammer of the registry (pun intended) , I want to explain to you what's going on with the NPM registry and its management. Spammer ( pun intended ) pun intended At first, I felt the title ` It's Party Time For NPM Spammers🥳 ` was offensive, unlawful, or disrespectful, and I also asked for help from an AI chatbot. I got the following results, but I purposefully stayed with the same to get attention from both NPM and the dev community. It's Party Time For NPM Spammers🥳 AI Chatbot : Certainly! Here are some alternative titles for your blog post on spammers in the NPM registry: AI Chatbot “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam” “Guarding the NPM Gates: Strategies to Combat Registry Spam” “Unmasking the Shadows: Inside the World of NPM Registry Spammers” “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam” “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam” “Guarding the NPM Gates: Strategies to Combat Registry Spam” “Guarding the NPM Gates: Strategies to Combat Registry Spam” “Unmasking the Shadows: Inside the World of NPM Registry Spammers” “Unmasking the Shadows: Inside the World of NPM Registry Spammers” Let's start with some basics. I request that you take a close look at the forthcoming screenshots. What is NPM? It is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc. Types of Spam Types of Spam Let's list out some with my experience and a few real examples currently living in the registry. Keyword Stuffing:
Packages using irrelevant keywords to appear in more search results. Malicious Code:
Packages containing harmful code or backdoors. Rewarding decentralized protocol (New Type):
These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here. Fake Packages:
Impersonating popular packages to deceive users. Low-Quality Packages:
Flooded with typos, irrelevant content, or empty functionality. Bot-Generated Packages:
Automated spam submissions. Phishing Attempts:
Packages designed to steal sensitive information. Dependency Spam:
Malicious packages as dependencies of legitimate ones. Hello World Packages (Low priority issue):
The students & learners try their first-time packages. Weird Packages:
There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments. Keyword Stuffing: Packages using irrelevant keywords to appear in more search results. Keyword Stuffing : Keyword Stuffing Packages using irrelevant keywords to appear in more search results. Malicious Code: Packages containing harmful code or backdoors. Malicious Code : Malicious Code Packages containing harmful code or backdoors. Rewarding decentralized protocol (New Type): These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here. Rewarding decentralized protocol (New Type) : Rewarding decentralized protocol (New Type) These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here . learn more from here Fake Packages: Impersonating popular packages to deceive users. Fake Packages : Fake Packages Impersonating popular packages to deceive users. Low-Quality Packages: Flooded with typos, irrelevant content, or empty functionality. Low-Quality Packages : Low-Quality Packages Flooded with typos, irrelevant content, or empty functionality. Bot-Generated Packages: Automated spam submissions. Bot-Generated Packages : Bot-Generated Packages Automated spam submissions. Phishing Attempts: Packages designed to steal sensitive information. Phishing Attempts : Phishing Attempts Packages designed to steal sensitive information. Dependency Spam: Malicious packages as dependencies of legitimate ones. Dependency Spam : Dependency Spam Malicious packages as dependencies of legitimate ones. Hello World Packages (Low priority issue): The students & learners try their first-time packages. Hello World Packages (Low priority issue) : Hello World Packages (Low priority issue) The students & learners try their first-time packages. Weird Packages: There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments. Weird Packages: Weird Packages: There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments. Fancy Packages Control:
These kinds of users acquire short package names. Fancy Packages Control: These kinds of users acquire short package names. Fancy Packages Control : Fancy Packages Control These kinds of users acquire short package names. NOTE : This list excludes security related malicious packages as they are often reported by the experts. NOTE Some notable past incidents: https://www.sonatype.com/resources/blog/npm-flooded-with-748-packages-that-store-movies https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html https://thehackernews.com/2023/08/malicious-npm-packages-found.html https://www.sonatype.com/resources/blog/npm-flooded-with-748-packages-that-store-movies https://www.sonatype.com/resources/blog/npm-flooded-with-748-packages-that-store-movies https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html https://thehackernews.com/2023/08/malicious-npm-packages-found.html https://thehackernews.com/2023/08/malicious-npm-packages-found.html Some Spammers List Here, I am going to list some of them because it is simply not possible to list all of them here, also, with the number of packages published by each one. https://www.npmjs.com/\~onedionysc - 6931 https://www.npmjs.com/\~shivamkalsi2024 - 997 https://www.npmjs.com/\~79w - 551 https://www.npmjs.com/\~ellentea - 599 https://www.npmjs.com/\~uirewikilabs - 323 https://www.npmjs.com/\~quinterochris100 - 361 https://www.npmjs.com/\~vanthuanbt26 - 250 https://www.npmjs.com/\~tiengiangb47 - 230 https://www.npmjs.com/\~swenkertreanpm - 227 https://www.npmjs.com/\~loandinhb931 - 224 https://www.npmjs.com/\~onedionysc - 6931 https://www.npmjs.com/\~onedionysc - 6931 https://www.npmjs.com/\~onedionysc 6931 https://www.npmjs.com/\~shivamkalsi2024 - 997 https://www.npmjs.com/\~shivamkalsi2024 - 997 https://www.npmjs.com/\~shivamkalsi2024 https://www.npmjs.com/\~79w - 551 https://www.npmjs.com/\~79w - 551 https://www.npmjs.com/\~79w https://www.npmjs.com/\~ellentea - 599 https://www.npmjs.com/\~ellentea - 599 https://www.npmjs.com/\~ellentea https://www.npmjs.com/\~uirewikilabs - 323 https://www.npmjs.com/\~uirewikilabs - 323 https://www.npmjs.com/\~uirewikilabs https://www.npmjs.com/\~quinterochris100 - 361 https://www.npmjs.com/\~quinterochris100 - 361 https://www.npmjs.com/\~quinterochris100 https://www.npmjs.com/\~vanthuanbt26 - 250 https://www.npmjs.com/\~vanthuanbt26 - 250 https://www.npmjs.com/\~vanthuanbt26 https://www.npmjs.com/\~tiengiangb47 - 230 https://www.npmjs.com/\~tiengiangb47 - 230 https://www.npmjs.com/\~tiengiangb47 https://www.npmjs.com/\~swenkertreanpm - 227 https://www.npmjs.com/\~swenkertreanpm - 227 https://www.npmjs.com/\~swenkertreanpm https://www.npmjs.com/\~loandinhb931 - 224 https://www.npmjs.com/\~loandinhb931 - 224 https://www.npmjs.com/\~loandinhb931 These are my random picks, and who knows how many of them are. The Team's Response The Problem The problem is not the spammers, as they always will be, but the real problem is within the management. Take, for example: If someone reports this via one of your support forums, the reply they get is simply redirection; they are redirecting you to fill out their respective forms for spam submissions. What if the reporter did not want to do extra work here? extra The important thing to note here is that the spammers and their packages live happily, even after we provide the absolute spam users and their package links. Conclusion I am writing this blog because I waited too long for them to fix it. Justice delayed is justice denied - William Blackstone Justice delayed is justice denied Justice delayed is justice denied - William Blackstone Please don't forget to check out our important Articles: important Introducing Our New JavaScript Standard Library You Don’t Need JavaScript Native Methods! Introducing Our New JavaScript Standard Library Introducing Our New JavaScript Standard Library Introducing Our New JavaScript Standard Library You Don’t Need JavaScript Native Methods! You Don’t Need JavaScript Native Methods! You Don’t Need JavaScript Native Methods! Happy coding! 🚀 🙏 Thanks for reading.

This story contains new, firsthand information uncovered by the writer.

Introducing a New JavaScript Library for Object Diffing and Patching

Read My Stories

Too Long; Didn't Read

Make resilience your competitive advantage

It's Party Time For NPM Spammers🥳

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

How to Compare the Same Contents but Different Ordered Arrays in JavaScript

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

How to Compare the Same Contents but Different Ordered Arrays in JavaScript

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps