from Hacker News

Empty NPM package '-' has over 700k downloads

by clubdorothe on 8/3/21, 3:32 AM with 25 comments

  • by t0mek on 8/3/21, 6:51 AM

    > Developers should exercise caution when typing npm commands in the terminal when especially when using flags.

    The double ”when” is quite funny here, given the nature of npm problem described in the article.

  • by marechalbernard on 8/3/21, 4:10 AM

  • by tus89 on 8/3/21, 4:15 AM

    And removing it will probably break half the internet. NPM is a nutshell.

  • by marto1 on 8/3/21, 5:52 AM

    Where there's user input there's cybersquatting.

  • by egberts on 8/3/21, 10:20 AM

    A simple logic of NOT “-“ would have blocked any reintroduction/upgrade of unintended “-“ package, coupled with a inertiazed package replacing the accidentally-introduced “-“ package.

    Yeah, those who depend on the original but accidental “-“ package for its functionally should suffer any consequential breakage that may have resulted from it.

    *insert*fake*tear*here*

  • by throwaway4good on 8/3/21, 6:02 AM

    So why would anyone make a package like that?

  • by hidden-spyder on 8/3/21, 5:01 AM

    What even does this package do? I can't understand how to get to the source and the readme is vague.

  • by James-Livesey on 8/3/21, 11:40 AM

    > A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

    ...then a few lines further down the article:

    > An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

    Kinda frustrating that the same information is being written twice imo... And then two ads in a row follow that

  • by pajko on 8/3/21, 4:26 PM

    What would happen if a newer version gets released sometime with some added malware functionality?

  • by undebuggable on 8/3/21, 8:58 AM

    Mistyped, incorrect, and copypasted shell commands which are incorrectly using the minus character.

  • by brundolf on 8/3/21, 4:16 AM

    Also 56 dependents

  • by tapout1960 on 8/4/21, 1:46 PM

    can a newer version be used to introduce malicious code for those downloading or the dependents?