Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Keep in mind that the vast majority of the 86,000 downloads are probably automated downloads by tools looking for malicious code, or other malicious tools pulling every new package version looking for leaked credentials.

When I iterate with new versions of a package that I’ve never promoted anywhere, each version gets hundreds of downloads in the first day or two of being published.

86,000 people did not get pwnd, possibly even zero.



Or it's some poor idiot's CI repeatedly downloading them, and for a zombie project that no one will ever use.


When I published a library it got about 300 downloads a week for the first few and then dropped down to about 100. That would be a lot of weeks.

> Many of the dependencies used names that are known to be “hallucinated” by AI chatbots.

There’s more here than that.


As TFA says, they're targeting package names that are somewhere in LLM training data but don't actually exist, so are being hallucinated by LLMs. And there's now a large number of folks with zero clue busy vibe-coding their killer app with no idea that bad things can happen.

I would not be surprised to find that 80%+ of those 86,000 people got pwned.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: