The company Phylum, which specializes in software supply chain security, has discovered a flood of spam in the package manager npm over the past six months. More than two thirds of the new packages examined were spam.
Advertisement
These are probably not packages containing malicious code, but are used to make money Via the Tea Protocol An initiative that aims to reward developers who contribute to open source projects.
SEO spam history repeats itself
The father of the Chai Protocol is Max Howell, the brain behind the package manager Homebrew. Its core idea is to evaluate open source projects based on their distribution and utility and reward those responsible and involved in the project in the form of cryptocurrency.
A Trank, which is based on Google’s PageRank, evaluates the distribution and thus usefulness of packages based on dependencies. Apparently npm spammers use these calculations in the same way that early search engine or SEO (search engine optimization) spammers used the PageRank algorithm.
In preliminary investigations, Phylum has observed that the number of new packages on NPM has been steadily increasing since February 2024. The number of new deployments increased from around 1,500 per working day at the beginning of the year to a peak of 48,000 on April 8.
Tea in the Jungle of Dependence
Many packages have names with absurd, seemingly random letter combinations. Numerous dependencies between packages are noticeable. Among other things, about 100,000 packages have one Dependency on the random-job-selector package.This increases the Trank rating of the project.
Over 99,000 projects with largely random names use the package.
(Image: Screenshot (Reinald Menz-Sonnentag))
The fact that the random job selector has a dependence on, among other things, the random drink selector and the random religion selector is at least fundamental.
In order for packages to be evaluated for the Tea Protocol, they need to Tea.yaml fileWhich is not found in all packages, but is found in some meaningful packages “in the quagmire of transitive dependencies”, as stated in the Pyhlam blog post.
Lots of spam, but probably no malicious code
According to Phylum, 890,000 completely new packages – no version updates – have appeared on npm since February 2024, of which the company has examined 900, i.e. a sample size around one in a thousand. About 70 percent of the packages examined were spam.
The least attractive packages were only used to collect cryptocurrencies via the T protocol. Phylum did not find any malicious code. This is also contradicted by the often confusing package names, which, like typosquatting or brandjacking packages, are not intended to be used by others and thus integrate malicious code into their project. Brandjacking uses company names such as Twilio to impersonate a legitimate source. In typosquatting, the names of packages containing malicious code are similar to the names of popular packages. On the one hand, the method relies on typos and, on the other hand, uses separators such as underscores and hyphens. out of my-packet It becomes my-paket, mypacket Or my_packet.Attackers justifiably hope someone will make a mistake.
The biggest losers are, on the one hand, with the operators of npm and, on the other hand, with open source developers who legitimately use the protocol and get a significantly smaller piece of the pie through spam.
The Cobra Effect in the open source universe
The spam wave is a kind of cobra effect for open source. Horst Siebert’s book of the same name describes false incentives for the economy that have opposite, negative consequences. The term comes from the story that a bounty placed on cobras resulted in the snake population increasing rather than decreasing, as resourceful bounty hunters bred new cobras to make more money. After the bounty was placed, the breeders released the surviving cobras into the wild.
The spam wave on NPM is not the first negative impact of this kind which has been reported in the early days Open source maintainers on GitHub face strange pull requests in their projects.With the flood of largely useless open source contributions, the question arises at least as to what trained AI models learn from these projects.
More information on checking npm packages can be found here In a blog post by Filem,
(RME)
