![Node.js Adds Experimental Support for TypeScript](https://cdn.sanity.io/images/cgdhsj6q/production/5fa307ef6135347f38e009b4da8cebcb3b9a386a-1948x1336.png?w=400&fit=max&auto=format)
Security News
Node.js Adds Experimental Support for TypeScript
Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.
Research
Bradley Meck Farias
March 30, 2023
Step aside, Kardashians – there's a new media obsession in town, and his name is John Wick! The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero.
Here at Socket, we've been keeping a close eye on the registry, and boy, have we got some juicy tidbits for you. Just yesterday, there were a whopping 4,600 npm packages all about John Wick. But that was just the beginning! By the end of our demos, the number had shot up to 4,750, and this morning, we counted almost 5,600! That's right, folks – a mind-blowing 0.02% of npm is now dedicated to Mr. Wick.
We've already spilled the beans on uploading media to npm, but this John Wick extravaganza is taking things to a whole new level. Lucky for you, we've been cooking up some fresh new ways to handle these pesky packages, and we've uncovered some real eyebrow-raisers along the way:
1. Crafty URL shorteners are the go-to disguise for these sneaky links. Some even require a little JavaScript magic to reveal their true nature.
2. Hold the phone – most of these URLs are actually labeled as "benign" by reputation databases! Short-lived domains and hand-curated databases are the culprits behind this shocking oversight.
3. Non-English speakers, rejoice! A large chunk of these slippery packages are in languages other than English. It's time to rethink our approach to the registry and embrace the global nature of open-source software.
4. The cherry on top? This whole hullabaloo is a brazen attempt at search engine optimization (SEO) grabbing! Even though real users aren't downloading these packages (download counts suggest only bots are doing the dirty work), they're plastered all over npm's homepage. Talk about a sneaky SEO boost!
Stay tuned, dear readers, because we've got some thrilling news coming your way soon about this utterly bizarre turn of events. In the meantime, feast your eyes on this John Wick-filled npm landscape, because it's reaching a fever pitch!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.
Product
Check out what's new at Socket with our Product Changelog. It tracks all public-facing updates, improvements, and fixes so you can take full advantage of our features.
Security News
In the latest Risky Biz Podcast episode, Socket CEO Feross Aboukhadijeh discussed the limitations of the National Vulnerability Database (NVD) in addressing the modern risks associated with using open source package registries.