Report on Malicious Activities and Spam Package Abuse in npm Community

[alikia2x]

Detailed Report on Malicious Activities and Spam Package Abuse in npm Community

Note: This report is based on the observations and details provided and is intendednpmmassist npm where a group of users and organizations have been systematically publishing a large number of spam packages. These actions not only undermine the integrity of the npm registry but also pose significant risks to the broader software development community.

Summary of Malicious Activities

• Meaningless Content: These packages do not contain any useful code, cannot help other developers, but they did pollute the npm registry.
• Random Name Accounts: Numerous accounts with meaningless usernames and package names have been created. These accounts are often associated with randomly generated organizations to avoid namespace conflicts.
• Keyword Stuffing: Spam packages include irrelevant keywords in their package.json files to manipulate search results, as observed in the search for "uuid validate" on the Web Archive. For example, the spam package @dramaorg/psychic-couscous has more than 700 keywords that covers most of the common queries thus interfering with the search algorithm.
• Template-Based Content: The content of these packages follows a few fixed templates, including empty packages like @kazaferixm/api-light and templated packages like @diotoborg/dolores-praesentium-assumenda.
• Circular Dependencies: These packages often depend on each other within the same spam organization, to artificially boost their search rankings. For example, the packages of the spam organization @diotoborg depend on an average of 29 packages from the same organization, which ultimately means that some of its packages, such as @diotoborg/dolores-praesentium-assumenda, can be depended on by as many as 580 spam packages under its name, thus affecting search results.
• Copy README from popular packages: These packages often copy the README file from popular packages. For example, spam package @diotoborg/ratione-error-odio has the same README as pnpm, leading to potential confusion among developers.

Specific Example

A notable example is the package @diotoborg/dolores-praesentium-assumenda, which has a README file distinct from another spam package @patrtorg/illum-sapiente-quos. The latter's README is copied from fast-xml-parser, leading to potential confusion among developers.

Impact on npm Community

• Quality of Search Results: The behavior of spam packages manipulating search rankings seriously affects the reliability of search results. This makes it impossible for developers to effectively find the packages they need.
• Misleading Developers: The use of legitimate README files from well-known packages can mislead developers into using spam packages, resulting in failed imports and other issues.
• Potential Infrastructure Strain: The mass creation and dependency chaining of these packages could potentially strain npm's infrastructure, affecting the performance and reliability of the npm registry.

Violations of npm Terms

These activities violate several sections of the npm Open-Source Terms, particularly those related to:

1. **Acceptable Use -npmm Open-Source Terms - npm npm to take action against the accounts and packages involved in the described behavior, potentially including removal of packages, suspension of accounts, and other measures to enforce the acceptable use and content policies of the npmlicy](https://docs.npmjs.com/policies/disputes)."

   • Reason: The creation and distribution of numerous packages with misleading content and dependencies likely violates the spirit of maintaining a friendly and safe environment as outlined in the Code of Conduct.

2. Acceptable Content - npm Open-Source Terms - Acceptable Content

   • Section: Acceptable Content
   • Clause: "Administrators at npm reserve the right to delete content hosted on the npm Services that they deem unacceptable."
   • Reason: The use of misleading package names and content designed to manipulate search rankings and mislead developers fits the description of content that npm administrators might deem unacceptable.

3. Friendly Harassment-Free Space - npm Code of Conduct - Friendly Harassment-Free Space

   • Section: Friendly Harassment-Free Space
   • Clause: "Any spamming, trolling, flaming, baiting, or other attention-stealing behavior is not welcome, and will not be tolerated."
   • Reason: The strategic creation of packages to manipulate search results and mislead users could be considered a form of spamming or trolling.

4. Enforcement of Acceptable Use - npm Open-Source Terms - Enforcement of Acceptable Use

   • Section: Enforcement of Acceptable Use
   • Clause: "npm may investigate and prosecute violations of this Agreement to the fullest legal extent."
   • Reason: Given the scale and impact of the reported behavior, npm has the authority and responsibility to investigate and address such violations.

These clauses collectively provide a basis for npm to take action against the accounts and packages involved in the described behavior, potentially including removal of packages, suspension of accounts, and other measures to enforce the acceptable use and content policies of the npm registry.

Spam Package Publishers

Here's some of the publishers (users and organizations) that we found publishing spam packages.

vanthuanbt26
erboladaiorg76
quochoanglm58
diotobtea
luongconghieufomo
micromint1npm
diotoborg
womorg
hishprorg
patrtorg
devtea2026
npmtuanmap
taktikorg
erboladaiorg
zitterorg

Recommendations

• Immediate Action: npm should take immediate action to identify and remove these spam packages and their associated accounts.
• Enhanced Monitoring: Implement more robust monitoring tools to detect and prevent such activities in the future.

Conclusion

The malicious activities described in this report pose a significant threat to the npm community. Immediate and decisive action is required to maintain the integrity and security of the npm registry.

[ebndev]

Hi @alikia2x, 👋🏻 We really appreciate you flagging this.

I've forwarded this to the proper GitHub team to review.

We are going to close this post, but for this and any future incidents, please refer to the links below.

• Reporting abuse or spam
• Reporting a user
• Reporting an issue or pull request
• Reporting a comment

Thank you!