
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Security News
Sarah Gooding
May 15, 2025
A recent discussion in the Node.js community spotlighted a recurring question in open source: how can those who benefit from the ecosystem financially support the development of features they care about? Specifically, the debate centered on whether Node.js should establish a formal feature bounty program—a system by which users could place monetary rewards on specific feature requests, incentivizing their implementation.
Ultimately, the Node.js Technical Steering Committee (TSC) decided not to move forward with endorsing such a program. But the discussion raised important questions about open governance, funding models, and the tension between altruistic contributions and paid work in open source.
The conversation began in earnest on social media, where a developer expressed willingness to fund a small feature in Node.js. This prompted Node.js TSC member Matteo Collina to suggest GitHub Sponsors as a funding path and to raise the question of what might work better, such as a centralized list of available contractors or vetted contributors.
In response, Owen Buckley opened GitHub issue titled NodeJS Feature Bounty Program (#1723), proposing a public bounty or sponsorship mechanism. The idea was simple: allow users or companies to pledge money toward specific feature requests or issues and connect them with interested contributors.
The enthusiasm was real. Multiple community members chimed in to say they would also love to sponsor Node.js work if there were a clear and official mechanism to do so.
As the discussion continued, contributors floated practical alternatives:
One open source funding platform, BountyHub, even offered to waive its service fees if allowed to facilitate such a program for Node.js.
TSC member Darshan Sen raised a number of legitimate concerns regarding using crowdfunding platforms, citing issues like exploitative dynamics, lack of standout options, delayed compensation, and the potential for abuse—all of which make direct contractor arrangements a more trustworthy alternative.
"The classic way of directly contacting a contractor and working something out with them seems much more flexible," Sen said.
Node.js collaborator Antoine du Hamel also noted how tying funding to specific issues could distort priorities and undermine the project's quality standards.
"If we imagine a system where folks could give money for a specific issue, and the project cannot use the money until the issue is 'fixed,' it gives pretty bad incentives to the project: to be less regarding on quality of the PR implementing it, probably silencing folks who raise concerns," du Hamel said. "Whoever decides what 'fixed' means, it would [give] them quite a lot of power over the project.
"Also worth considering that users would probably give money for user facing features, while us maintainers would probably want to prioritize some other issues (CI reliability, tooling, etc.) where we're already accumulating tech-debt. Maybe there's a balance to be found, in any case let's make sure we don't worsen an already less-than-ideal situation."
Despite enthusiasm from some, several TSC members raised serious concerns during the most recent meeting:
One common refrain: if people want to fund work, they’re free to do so, but the project itself shouldn’t set up or manage the mechanism.
At the May 7, 2025 TSC meeting, the group aligned on a cautious stance. The consensus was that Node.js should not endorse or operate a feature bounty program, though there was support for enabling external sponsorship and collaboration in less formal ways.
The TSC agreed to close the GitHub issue, noting that no one present supported overriding the objections to a project-backed bounty model.
However, the door remains open to further discussion. Darshan and others expressed interest in creating a contributor directory or skill map, which could live on the official website to help funders find relevant experts directly. A follow-up proposal for that is still expected.
This conversation echoes broader debates across the open source world. How should projects balance the reality that contributors need to be paid with the values of open collaboration and meritocracy? How can communities make space for financial support without becoming extractive or inequitable?
While the Node.js TSC declined to endorse a formal bounty program, the core problem of connecting funding with feature work hasn’t gone away. If anything, the thread showed that both demand and interest are growing.
For now, the project's official stance is caution but not indifference. Unofficial, community-led solutions may still find room to grow outside the core governance structure.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.