Bradley Meck Farias
March 30, 2023
Step aside, Kardashians – there's a new media obsession in town, and his name is John Wick! The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero.
Here at Socket, we've been keeping a close eye on the registry, and boy, have we got some juicy tidbits for you. Just yesterday, there were a whopping 4,600 npm packages all about John Wick. But that was just the beginning! By the end of our demos, the number had shot up to 4,750, and this morning, we counted almost 5,600! That's right, folks – a mind-blowing 0.02% of npm is now dedicated to Mr. Wick.
We've already spilled the beans on uploading media to npm, but this John Wick extravaganza is taking things to a whole new level. Lucky for you, we've been cooking up some fresh new ways to handle these pesky packages, and we've uncovered some real eyebrow-raisers along the way:
1. Crafty URL shorteners are the go-to disguise for these sneaky links. Some even require a little JavaScript magic to reveal their true nature.
2. Hold the phone – most of these URLs are actually labeled as "benign" by reputation databases! Short-lived domains and hand-curated databases are the culprits behind this shocking oversight.
3. Non-English speakers, rejoice! A large chunk of these slippery packages are in languages other than English. It's time to rethink our approach to the registry and embrace the global nature of open-source software.
4. The cherry on top? This whole hullabaloo is a brazen attempt at search engine optimization (SEO) grabbing! Even though real users aren't downloading these packages (download counts suggest only bots are doing the dirty work), they're plastered all over npm's homepage. Talk about a sneaky SEO boost!
Stay tuned, dear readers, because we've got some thrilling news coming your way soon about this utterly bizarre turn of events. In the meantime, feast your eyes on this John Wick-filled npm landscape, because it's reaching a fever pitch!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
