October 30, 2025

npm install… and pray

Article URL →HN comments →

NPM flooded with malicious packages downloaded more than 86k times

Dev world gasps as “invisible” add‑ons yank sketchy code and steal creds

TLDR: Attackers hid credential-stealing code in 126 NPM packages, downloaded 86,000+ times, by pulling “invisible” dependencies from untrusted sites. Commenters are split: some rage that installs run arbitrary commands, others preach mirroring and stricter controls, underscoring how fragile the software supply chain really is.

NPM—the giant app store for JavaScript—just got splashed with 126 sneaky packages that were downloaded over 86,000 times, and the comments are on fire. Security firm Koi says the attackers abused “Remote Dynamic Dependencies” (think: a package secretly grabbing extra code from random websites) to hide credential-stealing malware. These add‑ons were invisible in listings, often showing “0 dependencies,” yet still pulled fresh code every install. Cue the drama.

The top vibe? Outrage that installing a package can actually run commands on your machine. One commenter dropped the mic with: “What’s the legitimate use case for a package install being allowed to run arbitrary commands…?” Meanwhile, the “prepper devs” are flexing: edoceo proudly mirrors all their dependencies by hand like a doomsday pantry, and also reminds everyone that those big download numbers can be inflated by automated test runs. On the culture-war side, ghusto blames “lowering the bar” for the mess, while others argue the real villain is the design that lets untrusted code slip in unseen.

Link‑sharers chimed in with an alt explainer at BleepingComputer, and a commenter fantasized about a locked‑down “depository” where only approved changes land. In short: devs are spooked, split, and stocking popcorn as NPM’s install starts to look a lot like execute.

Key Points

  • Koi identified a campaign, PhantomRaven, that uploaded 126 malicious npm packages since August.
  • The packages exploited npm’s Remote Dynamic Dependencies to fetch code from untrusted domains.
  • These dependencies are invisible to developers and many scanners, making packages appear to have “0 Dependencies.”
  • More than 86,000 downloads were recorded, and about 80 packages remained available as of Wednesday.
  • NPM did not immediately respond to inquiries; the malicious dependencies harvest sensitive data, including environment variables.

Hottest takes

"What’s the legitimate use case for a package install being allowed to run arbitrary commands on your computer?" — crtasm
"When people ask me what's so wrong with lowering the bar of entry for engineering, I point to things like this" — ghusto
"Happy I keep a mirror of my deps, that I have to 'manually' update" — edoceo

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.