Security News > 2023 > September > Yes, there's an npm package called @(-.-)/env and some others like it

Yes, there's an npm package called @(-.-)/env and some others like it
2023-09-02 12:00

My colleague and Sonatype senior software engineer Lex Vorona came across not one but several npm packages that do not strictly follow naming conventions, or have rather striking names.

That means, the package itself is called "-" but published under an oddly named scope "!-!" giving it a funky moniker altogether.

In an exclusive report, BleepingComputer had previously shed light on an empty npm package "-" with more than 700,000 downloads.

The reason for this was hypothesized to be developers accidentally typing an extra hyphen in command line instructions, such as npm i, that would cause their npm client to download this empty package in addition to the package that they had intended to download. Tactfully named packages like "-hepl" may achieve a similar effect given their typo-squatting potential.

Other examples of single-letter packages, or those resembling npm commands include, but aren't limited to: i, g, install, D, and s. Starting in 2017, npm made revisions to its naming rules to thwart typosquats by disallowing use of both upper case letters in package names, and unscrupulous use of punctuation marks in an attempt to sneak in typosquats.

New Python tool checks NPM packages for manifest confusion issues.


News URL

https://www.bleepingcomputer.com/news/technology/yes-theres-an-npm-package-called-env-and-some-others-like-it/