{"id":54982,"date":"2024-01-04T13:17:16","date_gmt":"2024-01-04T13:17:16","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35362\/NPM-Registry-Prank-Leaves-Developers-Unable-To-Unpublish-Packages.html"},"modified":"2024-01-04T13:17:16","modified_gmt":"2024-01-04T13:17:16","slug":"npm-registry-prank-leaves-developers-unable-to-unpublish-packages","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/","title":{"rendered":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/01\/010324_gary_oldman_leon.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><em>Update Jan. 4, 2024: <\/em><\/p>\n<p>GitHub told SC Media Wednesday night that disruptions related to the &#8220;everything&#8221; package, and its registry-wide dependencies, were being resolved.<\/p>\n<p>&#8220;We found the project to be in violation of GitHub&#8217;s <a href=\"https:\/\/docs.github.com\/en\/site-policy\/acceptable-use-policies\/github-disrupting-the-experience-of-other-users\" data-type=\"link\" data-id=\"https:\/\/docs.github.com\/en\/site-policy\/acceptable-use-policies\/github-disrupting-the-experience-of-other-users\">Acceptable Use Policies<\/a>, which prohibit behavior that significantly or continually disrupts the experience of other users. It was also found to violate the <a href=\"https:\/\/docs.npmjs.com\/policies\/conduct\" data-type=\"link\" data-id=\"https:\/\/docs.npmjs.com\/policies\/conduct\">npm Code of Conduct<\/a>,&#8221; the company stated. &#8220;We have resolved the dependency issue, so packages can now be removed if they meet our unpublish criteria, and are working to remove the packages from both the npm registry and GitHub.&#8221;<\/p>\n<p>As of Thursday morning, the &#8220;everything&#8221; repository had been removed from GitHub. The &#8220;everything&#8221; package still appeared to be active on the NPM registry but, now without a source commit, is accompanied by a message reading, &#8220;Please verify the source before using this package.&#8221;<\/p>\n<p><em>Original report Jan. 3, 2024:<\/em><\/p>\n<p>NPM registry users were rendered unable to unpublish any public packages beginning late last week due to an apparent prank gone wrong.<\/p>\n<p>The GitHub-operated open-source JavaScript package repository hosts more than 2 million packages and is used by more than 17 million developers, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.npmjs.com\/\" target=\"_blank\">according to the NPM website<\/a>.<\/p>\n<p>On Dec. 29, a package titled \u201ceverything\u201d was published to the registry, which is designed to install all other public packages in the registry. This created a registry-wide web of dependencies that effectively disabled the ability to unpublish packages on the site, as packages that other packages are dependent on cannot be unpublished.<\/p>\n<p>The incident triggered responses from developers left unable to unpublish their deprecated or experimental packages, as well as criticism from some who viewed the stunt as an abuse of the open-source NPM system.<\/p>\n<p>The developers behind \u201ceverything\u201d said they did not anticipate these consequences and reached out to NPM and GitHub to resolve the issue. Ironically, the team was left unable to unpublish \u201ceverything\u201d themselves due to a circle of dependencies that essentially made the package dependent on itself.<\/p>\n<p>\u201cWe just thought it would be funny,\u201d wrote Evan Boehs, an \u201ceverything\u201d contributor, in response to another GitHub user\u2019s question about the project\u2019s purpose. \u201cWe did not know all this would happen.\u201d<\/p>\n<h2>Disruptive \u2018everything\u2019 JavaScript package created \u2018for the meme\u2019<\/h2>\n<p>The \u201ceverything\u201d package was accompanied by a \u201cREADME\u201d file stating \u201cPlease don\u2019t actually install this\u2026\u201d It also included a meme image of Gary Oldman from the film \u201cL\u00e9on,\u201d depicting a scene in which Oldman\u2019s character dramatically shouts the word \u201ceveryone.\u201d<\/p>\n<p>The \u201cabout\u201d section of the \u201ceverything\u201d repository also includes a link to the website \u201ceverything.npm.lol,\u201d which displays an animation depicting numerous packages being installed followed by a meme from the video game \u201cThe Elder Scrolls V: Skyrim.\u201d<\/p>\n<p>Despite the warning to not install the package, the NPM registry site indicates \u201ceverything\u201d was downloaded 224 times as of Jan. 3.<\/p>\n<p>Jossef Harush, head of the supply chain security engineering group at Checkmarx, said <a href=\"https:\/\/checkmarx.com\/blog\/when-everything-goes-wrong-npm-dependency-hell-campaign-2024-edition\/\" target=\"_blank\" rel=\"noreferrer noopener\">in a blog post<\/a> that installing \u201ceverything\u201d would likely result in a denial of service (DoS). Harush also refers to the project as a \u201ctroll campaign.\u201d<\/p>\n<p>\u201cI want to reiterate that we aren\u2019t trolls, we are at worst QA testers for NPM, and at best comedians and creative coders,\u201d Boehs wrote separately in a comment on GitHub.<\/p>\n<h2>More than 2 million NPM packages caught up in \u2018dependency hell\u2019<\/h2>\n<p>The sweeping effect of \u201ceverything\u201d across the entire NPM registry exposes flaws in the NPM open-source system, argues contributor PatrickJS on GitHub, who goes by the username gdi2290 on the NPM site.<\/p>\n<p>\u201cto be clear this is an edge-case in NPM\u2019s unpublish policy which doesn\u2019t account for \u2018*,\u2019\u201d PatrickJS wrote on GitHub, referring to the star symbol that indicates a package\u2019s dependency on any and all versions of another package. PatrickJS suggested that GitHub should allow developers to unpublish a package if its dependents rely on \u201cstar versions,\u201d or disable this use of \u201c*\u201d altogether.<\/p>\n<p>\u201cOne other thing to note while discussing this fiasco, we considered that this could have been exploited for much more malicious reasons,\u201d said fellow contributor Boehs. \u201cSay, if somebody accidentally uploads sensitive information, a bad actor could make packages to keep it up. It\u2019s good this was caught in this way instead of after being exploited in the wild.\u201d<\/p>\n<p>Some other developers were not convinced, expressing frustration and disapproval on the \u201ceverything\u201d repository\u2019s issues board.<\/p>\n<p>One user, Matt Lucock, lambasted the group for \u201creckless negligence\u201d and for blaming NPM for the fallout of their project.<\/p>\n<p>\u201cYou have deluded yourselves into believing that the problem isn\u2019t that you abused the registry, but that npm\u2019s unpublish rules don\u2019t hold up to someone abusing the registry in this way,\u201d Lucock wrote, adding that the unpublish rules are necessary \u201cprotect the integrity of the registry.\u201d<\/p>\n<p>Nicolas Ventura, a data center engineer at Lawrence Berkeley National Lab, reported that one of his deprecated packages was impacted by the dependency issue, and said that while the project was \u201cinteresting and humorous,\u201d it ultimately caused unnecessary problems.<\/p>\n<p>\u201cThis project certainly feels like spam and the thousands of sub-packages should not have been published to the official NPM repository and are just causing clutter,\u201d Ventura wrote. \u201cI\u2019m fascinated that NPM didn\u2019t flag or block any packages from being published, since many other websites, like social media has posting limits.\u201d<\/p>\n<p>The \u201ceverything\u201d package, which has more than 3,000 sub-packages, remains published on the NPM registry as of this writing, although PatrickJS reported that GitHub was actively working to fix the issue since Tuesday night.<\/p>\n<h2>\u2018Everything\u2019 not the first to break NPM\u2019s dependency system<\/h2>\n<p>Lucock and Harush note previous instances of developers publishing NPM packages that created a stir due to the creation of registry-wide dependencies. &nbsp;<\/p>\n<p>In 2012, the \u201choarders\u201d package, <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/jfhbrook\/hoarders\" target=\"_blank\">described by its creators<\/a> as \u201cnode.js\u2019s most complete \u2018utility grab-bag,\u2019\u201d created dependencies for all 20,000 modules published in the NPM registry at the time. The project <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/jfhbrook\/hoarders\/issues\/2\" target=\"_blank\">received backlash<\/a> and was later revised to work without creating direct dependencies to the utilities it installs.<\/p>\n<p>More recently, in January 2023, a package called \u201cno-one-left-behind\u201d was made dependent on all other packages in the NPM registry. The package was <a rel=\"noreferrer noopener\" href=\"https:\/\/www.npmjs.com\/package\/no-one-left-behind\" target=\"_blank\">removed by NPM<\/a>, which labeled it as containing \u201cmalicious code,\u201d although more than 33,000 subpackages of \u201cno-one-left-behind\u201d continued to exist, <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/npm\/feedback\/discussions\/858\" target=\"_blank\">causing some difficulty<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35362\/NPM-Registry-Prank-Leaves-Developers-Unable-To-Unpublish-Packages.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":54983,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[140],"class_list":["post-54982","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehacker"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-04T13:17:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/01\/010324_gary_oldman_leon.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"NPM Registry Prank Leaves Developers Unable To Unpublish Packages\",\"datePublished\":\"2024-01-04T13:17:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/\"},\"wordCount\":1048,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg\",\"keywords\":[\"headline,hacker\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/\",\"name\":\"NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg\",\"datePublished\":\"2024-01-04T13:17:16+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg\",\"width\":797,\"height\":531},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehacker\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"NPM Registry Prank Leaves Developers Unable To Unpublish Packages\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/","og_locale":"en_US","og_type":"article","og_title":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-01-04T13:17:16+00:00","og_image":[{"url":"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/01\/010324_gary_oldman_leon.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages","datePublished":"2024-01-04T13:17:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/"},"wordCount":1048,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg","keywords":["headline,hacker"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/","url":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/","name":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg","datePublished":"2024-01-04T13:17:16+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/01\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages.jpg","width":797,"height":531},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/npm-registry-prank-leaves-developers-unable-to-unpublish-packages\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehacker\/"},{"@type":"ListItem","position":3,"name":"NPM Registry Prank Leaves Developers Unable To Unpublish Packages"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54982"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54982\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/54983"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}