Connect with us

Tech

The empty npm package ‘-‘ has over 700,000 downloads; here is why

Published

on

The empty npm package ‘-‘ has over 700,000 downloads;  here is why

A mysterious one-letter npm package called “-” that has been in the registry since 2020 has received more than 700,000 downloads.

And what is more? The package does not contain any functional code, so what causes it to get so many downloads?

Inside the npm package “-“

An npm package called ““It has had nearly 720,000 downloads since it was posted to the npm registry, since early 2020.

There is only one version of the package: 0.0.1 and it contains three files:

tar tvf 0.0.1 /-0.0.1.tgz

package / dist / index.js
package / package.json
package / README.md

Inside these files, mainly the manifest (package.json) and index.js, there is nothing extraordinarily interesting, just skeleton code.

The manifest includes a bunch of dev dependencies. (devDependencies) and invoke some commands in the “ts-node“, but that’s it. It’s practically dead code, for now:

npm package content
The index.js file and the manifest file (package.json) of “-” (Computer ringing)

“-” is used by more than 50 packages

It gets even better.

The practically useless package “-” serves as a dependency for more than 50 npm packages, without a clear explanation:

npm package - dependencies
The npm package “-” is used by 56 packages. (npmjs.org)

But most of these dependencies have no more than a few dozen weekly downloads.

So how come “-” got over 720,000 downloads?

It is plausible that the package is checked in when someone is running npm commands from the terminal and makes typos.

For example, to install an npm package called “somepackage”, you would have to run:

npm me some package

What if you were specifying some flags, but you made a mistake? For instance:

npm i – someFlag some package

The space between “-” and some flag you can have npm input “-” since the package with that name exists.

Therefore, it is plausible that the number of downloads of thousands of times of the package is the result of the developers making typographical errors.

And similarly, when adding dependencies to package.json via the command line, it is not too difficult to see how a “-” could slip by mistake.

In a test, Bleeping Computer ran the following misspelled command, intending to download “some package“Y”axsharma“from npm.

But notice the typo, an extra “-” before the “–save” flag:

npm install some axsharma package – –save

As expected, both the resulting file package-lock.json and the modules_node / The folder contained the “-” package, which explains how it could slip into its dependencies in the real world:

generated package-lock.json
The generated node_modules folder and the package-lock.json file contain the package “-” (Computer ringing)

Bleeping Computer contacted the author of the package. Dmitry Parzhitsky with some questions like why this package was created. But we have not received a reply.

The creation of the package itself could be accidental or caused by a test script that terminated prematurely.

Both the README.md file included within the package and the package’s npm page indicate that “-” was generated by a script:

npm package - readme
README file for “-” (Computer ringing)

Suffice it to say that while there is nothing at this point in “-” to indicate that it is malicious, we do not know what the next version of “-” would look like, should it be released.

Other examples of single letter packages or those that resemble npm commands include, but are not limited to: I, GRAM, Install on pc, D., Y s.

This means to write “npm ii somePackage ” by mistake, as opposed to “npm i somePackage, ” in turn, it will install the I package, in addition to some package.

“The real problem here is that you can install these packages and never know it. npm install – g my package will install the package you want. “

“Only later, when you try to access that package elsewhere, will there be any indication that you’ve made a typo. In the meantime, both of you other GRAM they have been making progress on their project. “

“npm could (and maybe should) not allow components that share names with their commands”, software developer Matt freeland on Sonatype shared with Bleeping Computer.

Freeland further stated that once the packages are installed, npm displays a summary success message such as “added 3 packages and audited 8 packages”, instead of printing the exact list of installed packages.

“Naming the installed packages in the success message would give developers the opportunity to detect their errors,” he continued.

In recent times, open source registries, including npm, have [1, 2, 3] it has been flooded with malware or unwanted content.

Developers should be careful when writing npm commands in the terminal, especially when using flags. It is also a good idea to check why your packages are dependent in this mysterious package.

Advertisement
Advertisement

Lifestyle

LifeStyle3 days ago

How to Prioritize Self Care as a New Parent

A bundle of joy has joined you in your life and you couldn’t be happier. But, at the same time,...

LifeStyle3 days ago

5 Reasons Why You Can’t Stay Asleep

You have likely heard it most of your life: getting a good night’s sleep is important for your overall health....

LifeStyle6 days ago

4 Ways to Spread Joy This Fall

Traditionally, many people strive to spread as much joy as they can in the weeks leading up to Christmas. But...

LifeStyle3 weeks ago

Tips to Boost Your Energy and Ensure Life Longevity with NMN Supplements

Australia’s median age limit increased by two years recently. Higher NAD+ can improve your metabolism rates and prolong natural aging....

LifeStyle2 months ago

5 Tips on Writing APA Research Paper

When students reach college education, they understand that it won’t all be flowers and sunshine. There are different courses with...

Support group for businesses to overcome challenges Support group for businesses to overcome challenges
LifeStyle2 months ago

Support group for businesses to overcome challenges

All-day brunch and soup kitchen Cafe Coco suffered as walk-ins dwindled significantly. It’s a tourist-dependent cafe that’s nestled in the...

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods S’pore startup Shiok Meats acquires clean red meat company Gaia Foods
LifeStyle2 months ago

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods

According to Technology in Asia, Shiok Meats has acquired a stake of more than 90% in Gaia Foods for an...

Marianna Hewitt’s home proves that neutral decor can be full of personality Marianna Hewitt’s home proves that neutral decor can be full of personality
LifeStyle2 months ago

Marianna Hewitt’s home proves that neutral decor can be full of personality

If anyone understands the importance of maintaining your brand, it is Marianna Hewitt. The trusted influencer and founder of the...

The 16 best stuffed pepper recipes for every occasion The 16 best stuffed pepper recipes for every occasion
LifeStyle2 months ago

The 16 best stuffed pepper recipes for every occasion

Something you may not know about me is that I absolutely adore a pepper. Raw, cooked, marinated, bathed: each and...

Top 10 Bedroom Plants That Work As Air Purifying Plants Top 10 Bedroom Plants That Work As Air Purifying Plants
LifeStyle2 months ago

Top 10 Bedroom Plants That Work As Air Purifying Plants

Setting a specific tone in a bedroom can happen in many ways. A beautiful candle, plush rugs, soft bedding, soothing...

Advertisement

Sport

Sports2 months ago

5 Tips for Setting Up Your PC for Online Gaming

Due to advances in technology, online gamers can enjoy a gaming experience that was unthinkable even a decade ago. High-resolution...

Sports2 months ago

How to Succeed in Poker Tournaments

Perhaps your first big poker tournament is coming up, or you’ve been gathering skills ready to enter – no matter...

Sports2 months ago

Is The Olympics Still Relevant?

As the Tokyo Olympics has come to a close, competitors must move on from the excitement of experiencing an Olympic...

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’ Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’
Sports2 months ago

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’

var adServerUrl = “”; var $ el = $ (“# video_container-985707”); var permalink = $ el.closest (‘. snet-single-article’). data (‘permalink’);...

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker Tammy Abraham to Roma – Mourinho is the perfect coach for the striker
Sports2 months ago

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker

It seems that not too long ago, a young English Target Man was a troubling prospect for most Premier League...

Explanation: Why Barcelona had to let Messi go Explanation: Why Barcelona had to let Messi go
Sports2 months ago

Explanation: Why Barcelona had to let Messi go

Barcelona’s Argentine forward Lionel Messi cries during a press conference at Barcelona’s Camp Nou stadium on August 8, 2021. –...

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches? Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?
Sports2 months ago

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?

Manchester United, Manchester City, Liverpool, Chelsea, Spurs and Arsenal are the teams that are widely regarded as the top 6...

What should team Canada’s men’s hockey roster look like? What should team Canada’s men’s hockey roster look like?
Sports2 months ago

What should team Canada’s men’s hockey roster look like?

We have sent an email with instructions to create a new password. Your current password has not been changed. We...

Haaland, but staying in Dotmund, can BVB get the title on 21/22? Haaland, but staying in Dotmund, can BVB get the title on 21/22?
Sports2 months ago

Haaland, but staying in Dotmund, can BVB get the title on 21/22?

There are almost twenty days left in the transfer window. The window is in full swing as deals that would...

Knicks agree to deal with Dwayne Bacon: reports Knicks agree to deal with Dwayne Bacon: reports
Sports2 months ago

Knicks agree to deal with Dwayne Bacon: reports

Dwayne Bacon # 8 of the Orlando Magic shoots as John Collins # 20 of the Atlanta Hawks defends during...

Advertisement

Entertainment

Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block
Entertainment2 months ago

Venice adds Doc ‘Ennio’; Netflix Confirms Sanjay Leela Bhansali Series – News Block

Venice adds Giuseppe Tornatore’s Ennio Morricone film The Venice Film Festival incorporates the Out of Competition screening of Ennio Morricone’s...

The Jeffrey Epstein Victims Fund has finished paying $ 121 million The Jeffrey Epstein Victims Fund has finished paying $ 121 million
Entertainment2 months ago

The Jeffrey Epstein Victims Fund has finished paying $ 121 million

After awarding more than $ 121 million to about 150 applicants, a compensation program for survivors of Jeffrey Epstein’s sexual...

Matt Roloff and Karyn Chandler move in together, discuss marriage Matt Roloff and Karyn Chandler move in together, discuss marriage
Entertainment2 months ago

Matt Roloff and Karyn Chandler move in together, discuss marriage

Small people, big world star Matt Roloff and his girlfriend, Karyn Chandlerhave revealed their big summer plans in a new...

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’ Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’
Entertainment2 months ago

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’

Shouhed says his Shahs of Sunset co-star “cuts deep and says things that are hard to forgive.” While a sexting...

Joey Lawrence and Samantha Cope are engaged Joey Lawrence and Samantha Cope are engaged
Entertainment2 months ago

Joey Lawrence and Samantha Cope are engaged

He put a ring on it! Joey lawrence is engaged to the actress Samantha cope one year after filing for...

Christine Applegate was diagnosed with multiple sclerosis Christine Applegate was diagnosed with multiple sclerosis
Entertainment2 months ago

Christine Applegate was diagnosed with multiple sclerosis

August 10, 2021 Christine Applegate was diagnosed with multiple sclerosis (MS). Christina Applegate The 49-year-old actress took to Twitter on...

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block
Entertainment2 months ago

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block

EXCLUSIVE: UK advertisers Donna Mills and Emma Jackson, longtime representatives of London-based Premier Communications, have launched the new advertising agency...

Christina Applegate: actress reveals multiple sclerosis diagnosis Christina Applegate: actress reveals multiple sclerosis diagnosis
Entertainment2 months ago

Christina Applegate: actress reveals multiple sclerosis diagnosis

prime time Emmy-winning actor Christina applegate has revealed a multiple sclerosis condition through a Twitter post late on Monday night....

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018 Prince Harry and Meghan Markle wanted to move to New Zealand in 2018
Entertainment2 months ago

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018

Prince harry and Meghan Markle according to Queen Elizabeth IIRepresentative to New Zealand, Governor General Patsy Reddy… She said Associated...

Alarming new UN climate report says humanity has really screwed itself up Alarming new UN climate report says humanity has really screwed itself up
Entertainment2 months ago

Alarming new UN climate report says humanity has really screwed itself up

The last evaluation of climate science is a “code red for humanity,” the United Nations chief said on Monday, while...

Advertisement

Tech

Tech1 day ago

How to Provide Cybersecurity for Firefox

Mozilla Firefox is one of the first browsers that come to mind when thinking about the best privacy-oriented browsers available...

Tech3 weeks ago

6 Important Questions to Ask Your Internet Provider

Choosing the best internet provider can be challenging, especially when you don’t know what questions to ask. You want to...

Tech4 weeks ago

How Serious is Plagiarism in College?

Studying in college often demands writing essays and course papers. You may study technical subjects and do not have many...

Tech4 weeks ago

Three Possible Ways of How You Can Transfer Contacts from Outlook to iPhone

MS Outlook plays an important role in putting daily life in order, especially with regard to email management. If you...

Tech4 weeks ago

Importance of Email Validation

According to recent stats, 30% of users change their email every year. Therefore, if your mailing list is more than...

Tech4 weeks ago

Before Doing Virtual Staging, Here’s What You Should Know

The majority of people today go online to look for homes. When a potential buyer spots a house online that...

Tech1 month ago

What Technologies are Online Casinos Using?

Online casinos have become an ideal choice for a lot of players, especially because they let players take their games...

Tech2 months ago

Grow Your Brand With These 5 Social Media Tips

Whether you’re operating a new business or working to grow your brand, social media is an excellent place to start....

Tech2 months ago

Is Mining Ethereum Still Profitable in 2021?

Globally, there have been lots of innovations and modernization in different aspects of life. This fact has contributed to the...

Tech2 months ago

Popularity Of the Blockchain Technology: How Familiar Are You with It?

Cryptocurrencies are a form of digital currency that stands out because it is decentralized. Cryptocurrency also stands out because it...

Advertisement
Advertisement