Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Spam NPMs #116

neilstuartcraig opened this Issue · 6 comments

3 participants


Hi guys
I'm getting increasingly concerned about spam and I guess even potentially malicious code on I think it would at least be worth allowing users to flag NPMs they're concerned about.

Here's an example which was just added, look at the submitters profile



What is the issue? He has a funny email address. The code doesn't appear to have anything funny in it.

@isaacs isaacs closed this

Hi both
Sorry for the slow reply.
I was perhaps unfair on this contributor by singling him out but both his email address, avatar and as mentioned by Isaac, the nature of the NPM raised initial concerns.

Recently i've also seen several more (admittedly a very low percentage) potentially suspicious looking NPMs. These occurrences may simply be people filling in the forms in their second or even third language but it raised the thought that such an option platform although superb for fast innovation is potentially at least open to malicious activity. If we're honest, I think we'd admit that very few people will have the time and possibly the expertise to fully assess the source code of NPMs.

I suppose I should have written my original message in a much more complete way, my apologies for not doing so.

What i'd like to suggest as as a consideration is perhaps something simple first of all to let users easily flag any NPMs they believe may be malicious. I believe this would also send a message to potential spammers/crackers that the community is active in dealing with rogues.

Further to that, perhaps it's worth considering whether it's feasible to implement something like an "approved" or "vetted" accreditation which could be added to NPMs as reassurance. I realise that this may necessitate a lot of manual labour but it works well - there is something similar on the Vanilla (Forum app) addons repo:

Many thanks and apologies for any offence caused. I am finding the node community to be extremely active and very capable, i just would be very sad to see it go the way the android store nearly did before google stepped in.



@neilstuartcraig I think you worry too much. No offense was caused, that I can tell.

A way to flag malicious npm packages is certainly a grand idea. However, a module that works as advertised, and advertises that it is useful in the devious art of spamming, is not in itself malicious, and doesn't qualify.

I'm very hesitant to go in the direction of adding manual work. We're not hapless end-users installing every module with a shiny enough logo and putting it out into production without reading what it does. The better solution is to continue in the direction of the web-of-trust approach, and find ways to make the positive more visible.

We cannot add friction. The solution is to move forward faster. This is not an app store, it's a programming community. It's more likely that we'd go the way that Pear/PECL did.


Hi Isaac

Good thanks, I am glad i've not caused offence :-).

I really just wanted to make the suggestions and i can certainly see what you mean WRT manual reviews. Perhaps a simple flaggin system might be achievable, anyway as I say, I just wanted to make the suggestion.

Many thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.