Hacker News new | ask | show | jobs
by lenzm 1173 days ago
This seems like an arms race doomed to failure. The spammers can just add Hello World to pass the check. Then the check could be upgraded to look for some non-trivial behavior. Then the spammers will work around that. ... all at increasing costs to the package hosts. And now they have to be arbiters on what counts as trivial functionality.
1 comments
nobody9999 1173 days ago
>This seems like an arms race doomed to failure. The spammers can just add Hello World to pass the check. Then the check could be upgraded to look for some non-trivial behavior. Then the spammers will work around that. ... all at increasing costs to the package hosts. And now they have to be arbiters on what counts as trivial functionality.

IIUC, most of these spam "packages" don't have any code at all, just a README with links to whatever malicious sites they want folks to visit.

As such, don't assume that just because someone uploads a spam package actually knows how to code anything, especially since it appears that such spam packages are uploaded not to scam Node devs, but to use the good reputation of npmjs.com to host their spammy content.

Getting rid of that stuff is the low-hanging fruit. And I would not be at all surprised if almost all of these these folks couldn't code anything useful or worthwhile in Node or any other language.

It's highly unlikely that most of the folks uploading these spam packages are node devs, or devs of any kind.

As such, most of these folks wouldn't be able to participate in an "arms race."

And while some tiny fraction of those folks might be an enterprising spammer who writes an actual npm package. The problem with that, of course, is that it's quite likely that it's just a small number of folks who are uploading dozens (hundreds?) of these "packages," forcing them to either reuse the code over and over again (which is fairly easy to spot) or to actually develop new code for each package.

And that's way too resource intensive for scammers. If they were folks who had skills, decent work ethic and/or an interest in anything other than running their scams, they wouldn't be posting fake (i.e., just an empty package with a README) packages in an attempt to use npmjs.com to host their crap.

I mean, I get it. Perhaps you made the assumption that these folks are actually devs? Since they're using the site -- but IIUC, there's no proof that's the case -- at least for the specific empty packages I referenced above.

Edit: Clarified my thoughts.

link