These Chinese devs are storing 1000s of eBooks on GitHub and npm

A community of Chinese devs that calls itself 'ApacheCN' is using open source platforms like GitHub and npm to store 1000s of eBooks.

Last week, Socket's automated npm analysis engine flagged a package called "yingwen-lianmeng-erlingyiqilingjiu-erlingereryiling" among a list of those missing license information.

On taking a closer look, Socket's senior software engineer Mikola Lysenko noticed something interesting: The unpacked npm package is 79 MB in size as it contains an .EPUB (eBook) file.

Circumventing Chinese censorship

As for the contents of the EPUB itself, it contains different editions of The Economist, one of the mainstream media sites to have joined the list of websites banned in China.

Some editions contained in the package are as recent as October 2022:

We noticed, at the top of every black-and-white edition packed within the EPUB, there's a link beginning with mp.weixin.qq.com/ which takes you to a fuller, better quality color copy:

Other eBooks were riddled with multiple pages with giant QR code directing members to QQ/WeChat chat groups and niche websites.

1000s of eBooks stored on npm#

We further noticed the maintainer of the package ('wizardforcel') had published upwards of 2,900 identical packages. As of Tuesday, November 1st this count jumped up to 3,387.

This set of 1000s of npm packages are quite diverse in terms of content.

Some of these pack Chinese translations of developer docs of popular open source frameworks. Others are eBook translations of works that may be censored in certain jurisdictions. And yet others seemed to cast doubts on their copyright status—are the repo owners engaging in piracy, whether unknowingly or intentionally?

Nearly all of these packages credit 'ApacheCN,' a GitHub organization that claims to be a "non-profit project document and tutorial translation project established by iBooker" with a cheeky slogan that roughly translates to "We don't want to know friends who don't pretend to be coercive."

On its website, ApacheCN makes it clear that the group "have no relationship with [Apache Software Foundation]!"

Despite claiming to be an "open source organization" who are stewards of a "non-profit" knowledge sharing project, it's hard to box ApacheCN aka iBooker into a single category.

Knowledge sharing, "fair use," gender "wiki"...

It isn't exactly clear what iBooker is attempting to achieve. In its purported quest to establish a Chinese open information sharing platform, the contributors may have crossed a thin line between what constitutes "fair use" under international copyright law and online piracy.

We've tried contacting ApacheCN organization and repo owners multiple times in advance but haven't heard back.

Previously, 'ApacheCN' is also known to send unsolicited (spam) emails that appeared to have originated from domains of Chinese universities.

While we were busy scratching heads over the legality of these thousands of EPUBs posted by this group on both npm and GitHub, we came across another uncanny finding: a 'male-wakeup-wiki' repo [translation] maintained by the group riddled with sexist connotations. You be the judge, but the placement of such content itself on GitHub repo of the group is rather unsettling.

Note, we have not manually analyzed each of these 3,000+ packages and the analysis of individual EPUBs themselves is beyond the scope of this article.

Although these packages may not be outright malicious, they do put software distribution and version control tools to novel use, in ways deviating from the traditional use case of GitHub and npm.

At the very least, these packages pose a problem when it comes to ensuring hygiene of the open source software ecosystem.

Developers can install Socket’s free GitHub app which can detect missing licenses, software hygiene issues among other supply chain risks in your npm packages.