Research
Philipp Burckhardt
January 10, 2024
It's a new year! So let's look back at how npm, the most popular package manager in the world, fared in 2023. We will look at some of the major trends in the ecosystem and investigate what the data reveal about how npm grew over the past year.
We'll also take a deeper dive into some of the malware and spam issues npm faced over the course of the year, and answer questions you didn't knew you wanted to know the answers to (such as which package has the longest name or is biggest in size).
Get ready, let's dive in!
Just ten years ago, it was feasible to read out the name of every npm package in a conference talk. By the end of 2023, Socket had ingested almost four million packages from the npm registry from almost nine hundred thousand maintainers.
The official npm statistics showed more than 2.5 million live packages by the end of 2023, with download counts exceeding a staggering 184 billion package downloads per month.
The discrepancy between 2.5 and four million highlights that many packages end up getting removed from the registry. Publishing to npm is easy and there is no gatekeeping and vetting of packages before release, so the npm registry has developed a reputation of hosting more malicious packages than other language ecosystems. However, this reputation may not be fully warranted based on some of the nefarious findings we've already made in the Python ecosystem.
Over the course of 2023, we released support for Python and Go, with support for additional language ecosystems such as Java planned for 2024. In the future, we'll release ecosystem comparisons where we put the conventional wisdom to the test!
Our data show that in 2023, 10,518,566 package versions were published to the npm registry. Here is a breakdown per month, showing that the registry saw the most package updates during the months of March and April, possibly due to the massive John Wick-themed spam and phishing campaign that targeted the npm registry in March and April 2023.
At the same time, the registry saw 1,241,583 versions being unpublished in 2023. We counted 165,486 new maintainers in 2023, which at this rate suggests that we will see the one million package maintainer mark being crossed in 2024!
So what kind of packages do we see getting published and used most? While npm started as the package manager for Node.js, its meteoric rise over the last couple of years coincides with it becoming the de-facto standard package manager for JavaScript front-end projects as well, largely replacing Bower, and leading to a more unified and streamlined development workflow in JS projects.
The graph below shows the top 50 packages by the number of packages that depend on them:
One clear observation is how popular TypeScript has become. Initially released in October 2011, TypeScript gained significant popularity around 2017-2018 and is now the standard for authoring large applications, but it is increasingly being used for library code as well.
In terms of front-end frameworks and libraries, React being at second place is no surprise, given its large component ecosystem and dominant status in the ecosystem. The only other front-end library in the list is Vue.js (Angular is represented first with @angular/core at position 62.)
Another angle we could take is looking at the most popular packages by their weekly downloads:
The list is dominated by well established utility-focused packages that are used transitively by many packages and thus rack up a significant number of downloads. Prolific open-source developer and maintainer Sindre Sorhus has a very strong presence here, being responsible for half of the packages in the list.
Alternatively, we could restrict our attention to packages that were first released in 2023. Then, the list looks as follows:
At Socket, we scanned millions of files inside npm packages with Socket AI, our AI-powered threat detection system. In 2023, we identified more than five thousand packages as malware that were subsequently taken down by the npm registry.
2023 saw several high-profile supply chain attacks in the cryptocurrence space. A package like hardhat-gas-report was benign for months before being updated with malicious code to steal Ethereum private keys. And on December 14th, a malicious version of Ledger Connect Kit was published after a former Ledger employee fell victim to a phishing attack that gained access to their npmjs account, which attempted to reroute funds to a hacker wallet.
Besides the uptick in malware, npm faced multiple spam campaigns, during which the attackers published large quantities of spam packages to the npm registry. Back in February last year, more than 15,000 spam packages were published to npm in a matter of two days. Socket's security research team uncovered a different large spam campaign later in the year.
Last but not least, here are some answers to questions you were likely not contemplating, but which once raised may pique your curiosity:
First, it should be pointed out that 214 characters is the maximum length allowed for a package name on npm. So are there are such packages on the registry? Yes; the following packages all max out the available number of characters:
ifyouwanttogetthesumoftwonumberswherethosetwonumbersarechosenbyfindingthelargestoftwooutofthreenumbersandsquaringthemwhichismultiplyingthembyitselfthenyoushouldinputthreenumbersintothisfunctionanditwilldothatforyoukoishi-plugin-uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuthis-package-exports-the-number-214-and-its-name-is-also-two-hundred-and-fourteen-characters-long-which-is-the-longest-name-currently-allowed-by-the-npm-registry-to-see-how-a-name-that-long-would-look-if-you-did-iithis-package-exports-the-number-214-and-its-name-is-also-two-hundred-and-fourteen-characters-long-which-is-the-longest-name-currently-allowed-by-the-npm-registry-to-see-how-a-name-that-long-would-look-if-you-did-itLeading the pack is @chainsafe/eth2-spec-tests with a whopping size of 5.96 GB. Close on its heels is version 1.1.0 of kuzzle, which is not far behind at approximately 5.88 GB. modez comes in third, with a sizeable 4.39 GB. Following these are @mpetrunic/eth2-spec-tests and version 0.9.3 of docloop, weighing in at 4.13 GB and 3.38 GB, respectively. See below for the full top 10 of largest package versions as measured by their unpacked size.
@chainsafe/eth2-spec-tests@0.12.3 (5.96 GB)kuzzle@1.1.0 (5.89 GB)modez@1.0.4 (4.39 GB)@mpetrunic/eth2-spec-tests@1.0.1 (4.13 GB)docloop@0.9.3 (3.38 GB)@twigeducation/ts-fe-components@5.9.1 (3.22 GB)similar-persian-words@1.0.2 (3.05 GB)@sofit/view-locale@2.0.1 (2.14 GB)quint-cli@0.13.0 (2.08 GB)steamboat@0.1.1 (1.77 GB)The winner is @seek/asia-translations, boasting 554 maintainers. Following closely are two packages from Condé Nast, but the BBC has a strong presence in the top 10 with several packages as well. Below is the full list of the top 10 package versions, ranked by the number of maintainers.
@seek/asia-translations@1.0.0 (554 maintainers)@condenast/seawasp-bull-queue@0.1.4 (530 maintainers)@condenast/cna-st-codec@0.1.4 (530 maintainers)@bbc/storyplayer@0.4.16 (494 maintainers)@bbc/digital-paper-edit-client@0.8.2-alpha.2 (494 maintainers)@bbc/stt-align-node@1.0.0 (494 maintainers)@bbc/newslabs-helper-analytics@3.1.3 (493 maintainers)@bbc/local-election-2020-assets@0.0.1 (491 maintainers)@bbc/digital-paper-edit-storybook@1.7.0 (491 maintainers)@bbc/object-based-media-schema@0.3.3 (490 maintainers)Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.