Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
This is an open source funding experiment! The current model of sustaining open source is not working. We desperately need more experimentation. This is one such experiment.
npm install funding
This is an open source funding experiment! ✨
Whenever users install open source software, this package will display a message from a company that supports open source. The sponsorship pays directly for maintainer time. That is, writing new features, fixing bugs, answering user questions, and improving documentation.
The goal is to make sure that packages are well-maintained now and for the foreseeable future, with regular releases, improved reliability, and timely security patches. Healthy open source packages benefit users and maintainers alike.
You can take a look! All the code is open source in this GitHub repository. Essentially, it calls console.log()
on some text. There is no tracking or data collecting — and it will always stay this way. You can look at the code to verify – indeed, this is the beauty of open source!
This experiment is currently running on a few open source projects that Feross maintains:
Hey there, I'm Feross!
I'm an open source author, maintainer, and mad scientist. I maintain 100+ packages on npm which are downloaded 100+ million times per month. All my code is freely accessible on GitHub.
I work on innovative projects like WebTorrent, a streaming torrent client for the web, WebTorrent Desktop, a slick torrent app for Mac/Windows/Linux, and StandardJS, a JavaScript style guide, linter, and automatic code fixer. I also work on fun projects like BitMidi, a free MIDI database, and Play, a music video app.
I wrote and maintain several popular browserify + webpack ecosystem packages like buffer (38M downloads/month) and safe-buffer (64M downloads/month). Some of my favorite npm packages that I've written are simple-get (4M downloads/month), run-parallel (1.6M downloads/month), and simple-peer (32K downloads/month).
In the past, I was on the Node.js Board of Directors, representing individual Node.js users like you! It was an unpaid position, but I was happy to play some small part in making things better for everyone. Just for fun, a couple years ago I helped organize ArcticJS, an impromptu JavaScript conference in Svalbard, the northern-most human settlement on Earth, with some amazing friends.
My goal with this experiment is to make StandardJS healthier. If we learn that the experiment works, perhaps we can help make all open source healthier, too. For complex reasons, companies are generally hesitant or unwilling to fund open source directly. When it does happen, it's never enough and it never reaches packages which are transitive dependencies (i.e. packages that no one installs explicitly and therefore no one knows exists). Essentially, we have a public good which is consumed by huge numbers of users, but which almost no one pays for. Fortunately, there exists a funding model that usually works for public goods like this – ads. The goal of this experiment is to answer the question: Can we use ethical ads – ads that don't track users or collect data – to fund open source software?
The funds raised so far ($2,000) have paid for Feross's time to release Standard 14 which has taken around five days. If we are able to raise additional funds, the next thing we'd like to focus on is out-of-the-box TypeScript support in StandardJS (one of the most common feature requests!) and modernizing the various text editor plugins (many of which are currently unmaintained).
You can open an issue. But please be kind. I'm a human with feelings. ❤️
Just to be super clear: This package does no tracking or data collecting — and it will always stay this way. It's just a fancy console.log()
.
If you support open source through direct contributions, donations, or however else you see fit, you can permanently silence funding
by adding an environment variable OPEN_SOURCE_CONTRIBUTOR=true
to your terminal environment.
Note, funding
also respects npm's loglevel
setting, so e.g. npm install --silent
and npm install --quiet
will be respected.
FAQs
Get open source maintainers paid
The npm package funding receives a total of 43 weekly downloads. As such, funding popularity was classified as not popular.
We found that funding demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.