Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.
This week: The npm registry suffers spam infestation, and Microsoft makes Google sad.
1. Spam in npm
First up this week: Scammers and SEO scrotes are flooding the npm repo with spammy packages. Of course, this is exactly what always happens when you offer a free service for shared blobs.
Analysis: New Problems Mount
Unpopular opinion: It’s time to do away with centralized repos.
Gabi Dobocan: One In Two New Npm Packages Is SEO Spam
“Tip of the iceberg”
Out of the ~320k new npm packages or versions … over the past week, at least ~185k [are] SEO spam. Just in the last hour as of writing this article, 1583 new e-book spam packages have been published. All … are currently live on npmjs.com.
Most of the spam packages … come from a single … malicious Telegram channel, with over 7k members … targeting Russian-speaking people….