Sign up for our newsletter!
Stay informed on the latest DevOps news

DevOps.com

npm is Scam-Spam Cesspool ¦ Google in Microsoft Antitrust Thrust

By: on Leave a Comment

Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.

This week: The npm registry suffers spam infestation, and Microsoft makes Google sad.

1. Spam in npm

First up this week: Scammers and SEO scrotes are flooding the npm repo with spammy packages. Of course, this is exactly what always happens when you offer a free service for shared blobs.

Analysis: New Problems Mount

Unpopular opinion: It’s time to do away with centralized repos.

Gabi Dobocan: One In Two New Npm Packages Is SEO Spam

Tip of the iceberg
Out of the ~320k new npm packages or versions … over the past week, at least ~185k [are] SEO spam. Just in the last hour as of writing this article, 1583 new e-book spam packages have been published. All … are currently live on npmjs.com.

Most of the spam packages … come from a single … malicious Telegram channel, with over 7k members … targeting Russian-speaking people. Package names are set to match searches on various sensitive topics, like the war in Ukraine or investment decisions made by Gazprom. The package description, however, reads: “Forget about financial problems forever: a new method of earning will allow you to earn millions without leaving your home!”

We’re in the process of reporting all of the identified spam packages to npm. We suspect this is only the tip of the iceberg, since we’ve been able to identify many packages that have been live in the npm repo for years (like uyo-xint).


Ah, Lloyd’s tragedy of the commons. Perhaps npm should charge a small per-package fee? dspillett explains why not:

People just won’t bother, no matter how small the small fee is. For some they simply can’t (no access to international payment systems), for others they simply won’t want the extra admin. … A free alternative will spring up, many will move to that, and once it becomes significant enough it’ll become a spam target, and we are back where we began except things are a bit more fragmented.


With another idea, here’s peterww:

Crap community, crap experience. They need community moderation.

This could be further enhanced by various means (captchas, confirming user identity via SMS, etc.) But the point is to have humans in the loop, not allow just anyone to publish anything, and have a way to quickly identify and pause anything that seems like malware.


A plague on both their houses, thinks verdverm:

Is this … a point against having centralized registries? Why not go straight to the source code host? … Registry-less dependency management is how Go works today, and doesn’t have those problems:

1. No need to spend time publishing, just push a commit
2. No need to npm i or edit a file—modules can be inferred from imports because they use FQDN.


Meanwhile, ArchieBunker wishes you would exit his grassed area:

The real question is why you need to pull in so many third party libraries? How on earth was software ever written in the decades before this nonsense?

2. Google Accuses Microsoft of Anti-Competitive Sins

A Google Cloud VP has dumped on Microsoft Azure, saying it uses immoral bundling and secret sweetheart deals. Google is asking EU antitrust regulators to act.

Analysis: Pot meets IaaS kettle

Really, Google? When it comes to leveraging your huge market position, you don’t exactly have a cleaner than clean reputation.

Foo Yun Chee: Google says Microsoft cloud practices are anti-competitive

Spat between Google and Microsoft
Google Cloud has accused Microsoft of anti-competitive cloud computing practices and criticised imminent deals with several European cloud vendors, saying these do not solve broader concerns about its licensing terms. [Alphabet] has raised the issue with antitrust agencies and urged European Union antitrust regulators to take a closer look.

“Microsoft definitely has a very anti-competitive posture in cloud. They are leveraging a lot of their dominance in the on-premise business as well as Office 365 and Windows to tie Azure and the rest of cloud services,” … Google Cloud … Vice President Amit Zavery told [us]. “When we talk to a lot of our customers, they find a lot of these bundling practices … pricing and licensing restrictions make it difficult for them to choose other providers.”

Zavery dismissed the suggestion that the issue is merely a spat between Google and Microsoft: “It’s the cloud. The premise … was to have an open, flexible way to deploy your software and [give] customers more choices so that they can run their software in any place they choose to.”


Sure, it’s about the cloud, but Google plays similar games. u/Savoritz20:

I will always welcome more competition. All the cloud providers, including Google, make it incredibly complicated and expensive to move to another cloud.

While cloud is still cheaper than on prem (in most instances), it will be interesting to see what companies do as they continue to raise prices. The cloud world is starting to resemble the tv streaming world, only you can’t just click a button to cancel your subscription.


And heed OfMiceAndMenus’s sweary retort:

What? Oh **** off Google. You’re one of the biggest anti-competitive monopolies out there, and even in some of the same spaces.

If you’re going to go after MS for unfair cloud computing practices you’re going to have to go through AWS first. They’re a much bigger fish in that pond.


Part of Google’s complaint is about Microsoft’s attractive pricing. u/_bobby_tables_ doesn’t see it like that:

My Azure bill seems to indicate that there’s room for competition.

The Moral of the Story:
Life would be tragic if it weren’t funny

—Stephen Hawking

You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or tlv@richi.uk.

Image: Boxed Water (via Unsplash; leveled and cropped)