What Are The Bots Up To On npm?

Last year I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Illustration by Amy Lynn Taylor at yesand.is

So I set the bait.

I built a module, called botbait. This module calls home when it’s installed, required, or tested as well as the following.

var payload = {
process_versions: process.versions,
process_platform: process.platform,
process_arch: process.arch,
type: process.argv[2] || ‘index.js’
}

The Results

The results are pretty boring. I thought there would be a lot more random installations / tests to be honest.

Total Downloads — 582


Who took the bait?

Unique Sources — 7

The sources that stand out as interesting to me are the ones from Berkeley and Microsoft. I hope that somebody there has some interesting research to share.

Raw data.

2015-06-23T21:04:11.995Z, 193.137.5.49, ran npm test
2015-11-25T18:02:53.950Z, 140.78.145.161, npm i
2016-01-29T16:26:03.223Z, 89.251.52.64, npm i
2016-08-13T18:19:28.746Z, 131.107.160.43, ran or required index.js
2016-08-26T02:56:44.625Z, 103.6.32.2, npm i
2016-09-30T22:34:10.421Z, 192.31.105.138, ran or required index.js
2016-10-08T04:07:01.342Z, 192.31.105.136, ran or required index.js

Who else is watching?

During my late nights spelunking around the npm registry I found a few others that are calling home.

I do not in any way recommend installing these modules. At the time of writing they were not malicious but you never know.

et_phone_home — pings a url

wget -q http://176.31.142.25/javascript_no_way_you_got_here_randomly

anarchy — Reports to google analytics UA-48351156–4

harmlesspackage— reports your username via postinstall hook

curl -X GET http://104.131.21.155:8043/\\?$(whoami)

… I’m sure there are others that I didn’t notice this time around.

Final thoughts

Something I thought would be fun to dig into really wasn’t. It’s not always a glorious result for research. There isn’t a lot of automated activity that’s just downloading all the modules and doing things. Most of the activity comes from registry replicas mirroring the registry.

We spend a lot of time trying to secure the commons for the node community. It takes a lot of time and resources. If you would like to sponsor this work, get your application tested by a ridiculously talented group of hackers, or just have a friendly chat, reach out to us at contact@nodesecurity.io.