Replies: 1 comment
-
Hi @alikia2x, 👋🏻 We really appreciate you flagging this. I've forwarded this to the proper GitHub team to review. We are going to close this post, but for this and any future incidents, please refer to the links below. Thank you! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Detailed Report on Malicious Activities and Spam Package Abuse in npm Community
Note: This report is based on the observations and details provided and is intendednpmmassist npm where a group of users and organizations have been systematically publishing a large number of spam packages. These actions not only undermine the integrity of the npm registry but also pose significant risks to the broader software development community.
Summary of Malicious Activities
package.json
files to manipulate search results, as observed in the search for "uuid validate" on the Web Archive. For example, the spam package @dramaorg/psychic-couscous has more than 700 keywords that covers most of the common queries thus interfering with the search algorithm.Specific Example
A notable example is the package @diotoborg/dolores-praesentium-assumenda, which has a README file distinct from another spam package @patrtorg/illum-sapiente-quos. The latter's README is copied from fast-xml-parser, leading to potential confusion among developers.
Impact on npm Community
Violations of npm Terms
These activities violate several sections of the npm Open-Source Terms, particularly those related to:
**Acceptable Use -npmm Open-Source Terms - npm npm to take action against the accounts and packages involved in the described behavior, potentially including removal of packages, suspension of accounts, and other measures to enforce the acceptable use and content policies of the npmlicy](https://docs.npmjs.com/policies/disputes)."
Acceptable Content - npm Open-Source Terms - Acceptable Content
Friendly Harassment-Free Space - npm Code of Conduct - Friendly Harassment-Free Space
Enforcement of Acceptable Use - npm Open-Source Terms - Enforcement of Acceptable Use
These clauses collectively provide a basis for npm to take action against the accounts and packages involved in the described behavior, potentially including removal of packages, suspension of accounts, and other measures to enforce the acceptable use and content policies of the npm registry.
Spam Package Publishers
Here's some of the publishers (users and organizations) that we found publishing spam packages.
Recommendations
Conclusion
The malicious activities described in this report pose a significant threat to the npm community. Immediate and decisive action is required to maintain the integrity and security of the npm registry.
Beta Was this translation helpful? Give feedback.
All reactions