Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Empty npm package ‘-‘ has over 700,000 downloads — here’s why

Empty npm package ‘-‘ has over 700,000 downloads — here’s why

A mysterious, one-letter npm package named “-” sitting on the registry since 2020 has received over 700,000 downloads.

What’s more? The package contains no functional code, so what makes it score so many downloads?

Inside the npm package “-“

An npm package called “” has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

Also Read: Data Protection Policy: 8 GDPR Compliance Tips

There’s only one version of the package: 0.0.1 and it contains three files:tar tvf 0.0.1/-0.0.1.tgz


Inside these files—mainly the manifest (package.json) and index.js, there is nothing phenomenally interesting, just skeleton code.

The manifest does pull in a bunch of development dependencies (devDependencies) and invokes some commands on the “ts-node” component, but that’s about it. It’s practically dead code, for now:

npm package contents
The index.js file and the manifest file (package.json) of “-” (BleepingComputer)

“-” is used by over 50 packages

It gets even better.

The practically useless package “-” serves as a dependency for over 50 npm packages, without a clear explanation:

npm package - dependencies
npm package “-” is used by 56 packages (

But most of these dependencies have no more than a few dozen weekly downloads.

So, how is it that “-” has scored almost 720,000 downloads?

It is plausible the package gets pulled in when someone is running npm commands from terminal, and makes typographical errors.

For example, to install an npm package called “somepackage,” you’d have to run:npm i somepackage

What if you were specifying a few flags, but made a mistake. For example:npm i – someFlag somepackage

The space between the “-” and someFlag may cause npm to pull in “-” as the package with that name does exist.

It’s therefore plausible that the package’s thousandfold download counts are a result of developers making typos.

And similarly, when adding dependencies to package.json via command-line, it isn’t too hard too see how a “-” could slip in by error.

In a test, BleepingComputer, ran the following command, with the intention of downloading “somepackage” and “axsharma” from npm.

But notice the intentional typo, an extra “-” before the “–save” flag:npm install somepackage axsharma – –save

Unsurprisingly, both the resulting file package-lock.json and the node_modules/ folder contained the “-” package, explaining how it could slip into your dependencies in the real world:

generated package-lock.json
Generated node_modules folder and package-lock.json file contain “-” package (BleepingComputer)

BleepingComputer reached out to the package’s author Dmitry Parzhitsky with some questions, like, why was this package created. But, we haven’t heard back.

The package’s creation itself could be accidental or caused by a test script that finished prematurely.

Both the file included within the package and the package’s npm page indicate “-” was generated by a script:

npm package - readme
README file for “-” (BleepingComputer)

Suffice to say, while there is nothing right now in “-” that indicates it is malicious, we don’t know what the next version of “-” could look like, should it be released.

Other examples of single-letter packages, or those resembling npm commands include, but aren’t limited to: iginstallD, and s.

This means, typing “npm i i somePackage” by mistake, as opposed to “npm i somePackage,” will, in turn, install the i package, in addition to somePackage.

“The real issue here is that you can install these packages and never know it. Running npm install – g my-package will install the package you want.”

“Only later on, when you try to access that package elsewhere will there be any indication that you made a typo. In the meantime, both  and g have been riding along in your project.”

“npm could (and maybe should) disallow components that share names with its commands,” software developer Matt Freeland at Sonatype shared with BleepingComputer.

Freeland further expressed that once packages are installed, npm presents a summarized success message such as, “added 3 packages, and audited 8 packages,” rather than printing the exact list of packages installed.

“Naming the installed packages in the success message would give developers a chance to actually catch their errors,” he continued.

In recent times, open-source registries, including npm, have repeatedly [123] been flooded with malware or unwanted content.

Developers should exercise caution when typing npm commands in the terminal when especially when using flags. It’s also a good idea to check why your packages are dependent on this mysterious package.

Also Read: 5 Types of Ransomware, Distinguished



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us