A mysterious one-letter npm package called “-” that has been in the registry since 2020 has received more than 700,000 downloads.
And what is more? The package does not contain any functional code, so what causes it to get so many downloads?
Inside the npm package “-“
An npm package called “–“It has had nearly 720,000 downloads since it was posted to the npm registry, since early 2020.
There is only one version of the package: 0.0.1 and it contains three files:
Inside these files, mainly the manifest (package.json) and index.js, there is nothing extraordinarily interesting, just skeleton code.
The manifest includes a bunch of dev dependencies. (devDependencies) and invoke some commands in the “ts-node“, but that’s it. It’s practically dead code, for now:
“-” is used by more than 50 packages
It gets even better.
The practically useless package “-” serves as a dependency for more than 50 npm packages, without a clear explanation:
But most of these dependencies have no more than a few dozen weekly downloads.
So how come “-” got over 720,000 downloads?
It is plausible that the package is checked in when someone is running npm commands from the terminal and makes typos.
For example, to install an npm package called “somepackage”, you would have to run:
npm me some package
What if you were specifying some flags, but you made a mistake? For instance:
npm i – someFlag some package
The space between “-” and some flag you can have npm input “-” since the package with that name exists.
Therefore, it is plausible that the number of downloads of thousands of times of the package is the result of the developers making typographical errors.
And similarly, when adding dependencies to package.json via the command line, it is not too difficult to see how a “-” could slip by mistake.
But notice the typo, an extra “-” before the “–save” flag:
npm install some axsharma package – –save
As expected, both the resulting file package-lock.json and the modules_node / The folder contained the “-” package, which explains how it could slip into its dependencies in the real world:
Bleeping Computer contacted the author of the package. Dmitry Parzhitsky with some questions like why this package was created. But we have not received a reply.
The creation of the package itself could be accidental or caused by a test script that terminated prematurely.
Both the README.md file included within the package and the package’s npm page indicate that “-” was generated by a script:
Suffice it to say that while there is nothing at this point in “-” to indicate that it is malicious, we do not know what the next version of “-” would look like, should it be released.
This means to write “npm ii somePackage ” by mistake, as opposed to “npm i somePackage, ” in turn, it will install the I package, in addition to some package.
“The real problem here is that you can install these packages and never know it. npm install – g my package will install the package you want. “
“Only later, when you try to access that package elsewhere, will there be any indication that you’ve made a typo. In the meantime, both of you – other GRAM they have been making progress on their project. “
“npm could (and maybe should) not allow components that share names with their commands”, software developer Matt freeland on Sonatype shared with Bleeping Computer.
Freeland further stated that once the packages are installed, npm displays a summary success message such as “added 3 packages and audited 8 packages”, instead of printing the exact list of installed packages.
“Naming the installed packages in the success message would give developers the opportunity to detect their errors,” he continued.
In recent times, open source registries, including npm, have [1, 2, 3] it has been flooded with malware or unwanted content.
Developers should be careful when writing npm commands in the terminal, especially when using flags. It is also a good idea to check why your packages are dependent in this mysterious package.