Security News > 2021 > August > Empty npm package '-' has over 700,000 downloads — here's why
A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.
An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.
It is plausible the package gets pulled in when someone is running npm commands from terminal, and makes typographical errors.
The space between the "-" and someFlag may cause npm to pull in "-" as the package with that name does exist.
"The real issue here is that you can install these packages and never know it. Running npm install - g my-package will install the package you want."
Freeland further expressed that once packages are installed, npm presents a summarized success message such as, "Added 3 packages, and audited 8 packages," rather than printing the exact list of packages installed.