It's Party Time For NPM Spammers🥳

17 May 2024


As a Spammer of the registry (pun intended), I want to explain to you what's going on with the NPM registry and its management.

At first, I felt the title `It's Party Time For NPM Spammers🥳` was offensive, unlawful, or disrespectful, and I also asked for help from an AI chatbot. I got the following results, but I purposefully stayed with the same to get attention from both NPM and the dev community.

AI Chatbot: Certainly! Here are some alternative titles for your blog post on spammers in the NPM registry:

  1. “Navigating the Murky Waters: A Deep Dive into NPM Registry Spam”
  2. “Guarding the NPM Gates: Strategies to Combat Registry Spam”
  3. “Unmasking the Shadows: Inside the World of NPM Registry Spammers”

Let's start with some basics. I request that you take a close look at the forthcoming screenshots.

What is NPM?

It is the world's largest software registry and a Node Package Manager for the JavaScript programming language maintained by Microsoft's npm, Inc.

Types of Spam

Let's list out some with my experience and a few real examples currently living in the registry.

  • Keyword Stuffing:

    Packages using irrelevant keywords to appear in more search results.

  • Malicious Code:

    Packages containing harmful code or backdoors.

  • Rewarding decentralized protocol (New Type):

    These packages were created to get some incentives from the OSS blockchain technology. You can learn more from here.

  • Fake Packages:

    Impersonating popular packages to deceive users.

  • Low-Quality Packages:

    Flooded with typos, irrelevant content, or empty functionality.

  • Bot-Generated Packages:

    Automated spam submissions.

  • Phishing Attempts:

    Packages designed to steal sensitive information.

  • Dependency Spam:

    Malicious packages as dependencies of legitimate ones.

  • Hello World Packages (Low priority issue):

    The students & learners try their first-time packages.

  • Weird Packages:

    There are many packages with index.js file containing a comment which says something like the below and I try to understand with the google translator, no luck, if you got it, please let me know in the comments.

  • Fancy Packages Control:

    These kinds of users acquire short package names.

NOTE: This list excludes security related malicious packages as they are often reported by the experts.

Some notable past incidents:

Some Spammers List

Here, I am going to list some of them because it is simply not possible to list all of them here, also, with the number of packages published by each one.

  1.\~onedionysc - 6931

  2.\~shivamkalsi2024 - 997

  3.\~79w - 551

  4.\~ellentea - 599

  5.\~uirewikilabs - 323

  6.\~quinterochris100 - 361

  7.\~vanthuanbt26 - 250

  8.\~tiengiangb47 - 230

  9.\~swenkertreanpm - 227

  10.\~loandinhb931 - 224

These are my random picks, and who knows how many of them are.

The Team's Response

The Problem

The problem is not the spammers, as they always will be, but the real problem is within the management.

Take, for example:

If someone reports this via one of your support forums, the reply they get is simply redirection; they are redirecting you to fill out their respective forms for spam submissions.

What if the reporter did not want to do extra work here?

The important thing to note here is that the spammers and their packages live happily, even after we provide the absolute spam users and their package links.


I am writing this blog because I waited too long for them to fix it.

Justice delayed is justice denied

- William Blackstone

Please don't forget to check out our important Articles:

Happy coding! 🚀

🙏 Thanks for reading.