npm

A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

What's more? The package contains no functional code, so what makes it score so many downloads?

Inside the npm package "-"

An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

There's only one version of the package: 0.0.1 and it contains three files:

tar tvf 0.0.1/--0.0.1.tgz

package/dist/index.js
package/package.json
package/README.md

Inside these files—mainly the manifest (package.json) and index.js, there is nothing phenomenally interesting, just skeleton code.

The manifest does pull in a bunch of development dependencies (devDependencies) and invokes some commands on the "ts-node" component, but that's about it. It's practically dead code, for now:

npm package contents
The index.js file and the manifest file (package.json) of "-" (BleepingComputer)

"-" is used by over 50 packages

It gets even better.

The practically useless package "-" serves as a dependency for over 50 npm packages, without a clear explanation:

npm package - dependencies
npm package "-" is used by 56 packages (npmjs.org)

But most of these dependencies have no more than a few dozen weekly downloads.

So, how is it that "-" has scored almost 720,000 downloads?

It is plausible the package gets pulled in when someone is running npm commands from terminal, and makes typographical errors.

For example, to install an npm package called "somepackage," you'd have to run:

npm i somepackage

What if you were specifying a few flags, but made a mistake. For example:

npm i - someFlag somepackage

The space between the "-" and someFlag may cause npm to pull in "-" as the package with that name does exist.

It's therefore plausible that the package's thousandfold download counts are a result of developers making typos.

And similarly, when adding dependencies to package.json via command-line, it isn't too hard too see how a "-" could slip in by error.

In a test, BleepingComputer, ran the following command, with the intention of downloading "somepackage" and "axsharma" from npm.

But notice the intentional typo, an extra "-" before the "--save" flag:

npm install somepackage axsharma - --save

Unsurprisingly, both the resulting file package-lock.json and the node_modules/ folder contained the "-" package, explaining how it could slip into your dependencies in the real world:

generated package-lock.json
Generated node_modules folder and package-lock.json file contain "-" package (BleepingComputer)

The package's creation itself seemed accidental or caused by a test script that finished prematurely.

Both the README.md file included within the package and the package's npm page indicate "-" was generated by a script:

npm package - readme
README file for "-" (BleepingComputer)

Developer behind "-" shares insights

BleepingComputer had reached out to the package's author Dmitry Parzhitsky with some questions, like, why was this package created. We have now heard back:

"Let me say right off the bat: with this package, I mean no harm to anyone in any way," Parzhitsky told BleepingComputer, stressing the package was fully compliant with npm's naming rules at the time of its creation and created as a test.

"Originally, I published the package to verify that '-' is a valid package name according to naming rules—weirdly, it is; you could, for example, publish a package under the name '--' as well," he continued.

Parzhitsky agrees with BleepingComputer's hypothesis that the unusually high number of downloads can most likely be attributed to developers making typos.

The developer further clarified that, while "-" does nothing as of now, he intends on modifying the package to throw error messages when someone accidentally installs such packages.

"By the way, I find this behavior peculiar and maybe even somewhat dangerous. That's why I am planning to implement a warning in case of a suspicious installation of '-' alongside packages like 'g', 'D', etc," concluded Parzhitsky in his email interview with us.

npm package - github issue
GitHub issue where developer has published plans to implement warnings

Suffice to say, while there is nothing right now in "-" that indicates it is malicious, developers should be careful that packages like "-" don't accidentally slip into their builds.

Other examples of single-letter packages, or those resembling npm commands include, but aren't limited to: i, g, install, D, and s.

This means, typing "npm i i somePackage" by mistake, as opposed to "npm i somePackage," will, in turn, install the i package, in addition to somePackage.

"The real issue here is that you can install these packages and never know it. Running npm install - g my-package will install the package you want."

"Only later on, when you try to access that package elsewhere will there be any indication that you made a typo. In the meantime, both - and g have been riding along in your project."

"npm could (and maybe should) disallow components that share names with its commands," Sonatype software developer Matt Freeland shared with BleepingComputer, following his tip-off.

Freeland further expressed that once packages are installed, npm presents a summarized success message such as, "added 3 packages, and audited 8 packages," rather than printing the exact list of packages installed.

"Naming the installed packages in the success message would give developers a chance to actually catch their errors," he continued.

In recent times, open-source registries, including npm, have repeatedly [1, 23] been flooded with malware or unwanted content.

Developers should exercise caution when typing npm commands in the terminal, especially when using flags. It's also a good idea to check why your packages are dependent on this mysterious package.

Update 4-Aug-2021 07:15 ET: BleepingComputer had reached out to Parzhitsky (the developer of "-") well in advance of publishing this article. However, we received a detailed response much later, after press time. As such, we have updated parts of the article to incorporate the developer's responses. For transparency, the original, archived copy of this article is available on Wayback Machine.

Related Articles:

Hackers poison source code from largest Discord bot platform

CISA urges software devs to weed out SQL injection vulnerabilities

Tuta Mail adds new quantum-resistant encryption to protect email

Citrix, Sophos software impacted by 2024 leap year bugs

Japan warns of malicious PyPi packages created by North Korean hackers