In August 2021, a strange single-letter package '-' ("minus") caught the attention of the community, which had over 700,000 downloads and 56 incoming dependencies, i.e. at that time 56 other packages depended on "minus".

The fact that the package was essentially empty and contained nothing but template constructs (name, version number, etc.) gave a special mystery to the case.

Over the past time, the popularity of "minus" has grown significantly. As of March 11, 2022 (4:00 PM), 185 packages already depend on it.

The minus package was developed at the beginning of 2020. Since then, only a single version 0.0.1 has been released with three files:

tar tvf 0.0.1/--0.0.1.tgzpackage/dist/index.jspackage/package.jsonpackage/README.md

Inside these files, there is practically nothing but a manifest (package.json) and a basic index.js with no functional code.

The number of downloads has been gradually growing since last year and today it is steadily exceeding 23,000 per week.

Most likely, the popularity of the package is due to a typo among tens of thousands of developers - an extra space after the minus in the standard installation command:

npm i -someFlag somepackage

Similarly, new dependencies appear when developers of other packages add dependencies to their package.json from the command line.

The author of the package, Dmitry Parzhitsky, cleverly took a profitable name that will generate traffic in any conditions - a guaranteed number of package installations. He himself considers this as a kind of experiment (PoC), which proves the existence of a potential vulnerability in the NPM package manager.

In the future, Dmitry plans to change the functionality of his package so that it displays an error message if someone tries to install it along with other single-letter packages like D, g, s.

This is reminiscent of typosquatting in the 90s, when scammers registered domain names with a misspelling in the name (gogle.com, yandeks.ru, etc.) and received a guaranteed stream of visitors making mistakes in typing URLs.

In the case of NPM packages, there is a real risk that a user may mistakenly install an unnecessary package with arbitrary code - and not notice it. And in such a one-letter package, the author can write anything.

Now the practice of reselling open source projects with a large audience is quite common. The new package owner can release a new version with arbitrary content. For example, with a botnet or a cryptominer. You don't have to look far for examples: 1, 2, 3. The "minus" package with 23,000 downloads per week is already of some commercial interest.

For developers, squatting misspelled NPM package names is a definite business opportunity that some will not fail to take advantage of.

bbabo.Net