Happy New Year! What a way to open 2024! NPM user account gdi2290, aka PatrickJS, published a troll campaign to the NPM registry by uploading a package named “everything”, which relies on every other public NPM package, resulting in millions of transitive dependencies.
This leads to Denial of Service (DOS) for those who install “everything, “which causes issues like storage space exhaustion and disruptions in build pipelines.
The creators of the “everything” package have published over 3000 sub-packages. These sub-packages are designed to split the dependencies into chunks and to depend on all publicly available NPM registry packages.
The creators have also registered the domain https://everything.npm.lol/. On this website, they showcase the ensuing chaos and incorporate a famous meme from The Elder Scrolls V: Skyrim, adding an extra layer of humor or mockery to the situation.
Not the first time this has happened
A year ago, we encountered a situation with the package “no-one-left-behind” by Zalastax. This package depended on every publicly available npm package, creating an intricate web of dependencies. Despite being removed by the npm security team, a new development emerged on Jan 28th, 2023. Over 33,000 packages under the scope “infinitebrahmanuniverse,” prefixed with “nolb-,” surfaced as sub-packages of “no-one-left-behind.”
The downsides of these trolls
Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can’t do it if other packages are using it. The problem is, since “everything” relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.
An attempt to delete the packages
It doesn’t seem PatrickJS realized the headache his troll would cause to some users. Two days after the prank packages were published, he created an issue and shared that he is unable to delete the packages since the NPM mechanism prevents deletion of published packages once they are being used by other projects and calls for help from NPM support team.
Summary
This act of digital mischief by PatrickJS echoes past incidents, highlighting ongoing challenges in package management and the cascading effects of dependencies within the NPM ecosystem. The situation underlines the comedic yet serious consequences of such pranks in the developer community.
Jossef heads the Supply Chain Security engineering group at Checkmarx. With vast malware research and engineering experience, he brings invaluable knowledge and skills to the table. In his spare time, Jossef loves contributing to the open-source community and he's ranked in the top 1% on Stack Overflow. Prior to Checkmarx, Jossef co-founded Dustico, a software supply chain security company acquired by Checkmarx in 2021. Jossef is responsible for developing Checkmarx’s top notch software supply chain attack detection technology where his deep development and security experience with a variety of coding languages comes into play.
Jossef heads the Supply Chain Security engineering group at Checkmarx. With vast malware research and engineering experience, he brings invaluable knowledge and skills to the table. In his spare time, Jossef loves contributing to the open-source community and he's ranked in the top 1% on Stack Overflow. Prior to Checkmarx, Jossef co-founded Dustico, a software supply chain security company acquired by Checkmarx in 2021. Jossef is responsible for developing Checkmarx’s top notch software supply chain attack detection technology where his deep development and security experience with a variety of coding languages comes into play.
By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.