SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Checkmarx uncovers disruptive prank on NPM by user gdi2290
Thu, 4th Jan 2024

Online security company Checkmarx has uncovered a disruptive prank campaign carried out by an NPM user on the NPM registry. NPM user gdi2290, also known as PatrickJS, uploaded a package by the name of 'everything', causing a significant ripple of issues, including storage space exhaustion and disruptions in building pipelines for those who installed it.

NPM, which stands for Node Package Manager, is a registry filled with packages of reusable code that developers utilise to enhance their software projects. In this instance, gdi2290 uploaded a package on the platform which relied on every other public NPM package, leading to millions of transitive dependencies. This kind of over-dependency led to a Denial of Service (DOS) for users who installed the 'everything' package.

Further adding to the complexity of the situation, the creators of the 'everything' package published over 3,000 sub-packages. These sub-packages were designed to further break down the dependencies into chunks and to rely on all available packages within the NPM registry.

The mischief did not stop there, however. The creators also set up a website to showcase the ensuing digital chaos, incorporating a popular meme from the video game 'The Elder Scrolls V: Skyrim' for comedic effect.

This is not the first time the NPM registry has been subject to such an attack. Last year, the package 'no-one-left-behind' by Zalastax created a similar web of dependencies involving every available NPM package. Despite this package being removed by the NPM security team, a new development emerged with over 33,000 packages under the scope 'infinitebrahmanuniverse' resurfacing as sub-packages of 'no-one-left-behind' on January 28th, 2023.

One of the significant problems with such overly dependent packages is that individual packages become stuck. This means that if developers wanted to remove their own NPM package, they would be unable to if other packages, such as 'everything', were using it.

Two days after the prank packages were published, gdi2290 created an issue expressing his lack of foresight at the headache his troll package would cause users. He shared his inability to delete the packages, as the NPM mechanism prevents the removal of published packages once they are being used by other projects. He called for assistance from the NPM support team.

This latest digital mischief not only highlights the challenges package managers face with over-dependencies but also the cascading effects on the NPM ecosystem. While humorous to some, these pranks can have severe consequences in the developer community.

Checkmarx is a cybersecurity company that specialises in application security testing (AST) solutions. The company focuses on helping organisations identify and remediate security vulnerabilities in their software applications throughout the development life cycle. Checkmarx's platform provides a range of tools and services designed to enhance the security of software applications by identifying and mitigating potential vulnerabilities early in the development process.