npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

dont-install-this-pkg

v1.0.2

Published

A demo package for AI security workshops — shows how malicious packages can execute code on install.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

more_well_devmore_well_dev

Keywords

securityworkshopdemosupply-chain

Readme

dont-install-this-package

AI Security Workshop Demo — A NOT harmless package that demonstrates how npm supply-chain attacks work via postinstall scripts.

What is this?

This package is a live demo prop for security workshops. The moment you run:

npm install dont-install-this-package

…a postinstall script fires automatically and prints a big "YOU WAS HACKED!" banner to your terminal.

No actual harm is done. The point is to show that a real malicious package could do anything here — steal .env files, exfiltrate SSH keys, install a backdoor — and you would never know unless you audited the source code first.

The Attack Vector: postinstall

npm (and other package managers) allow packages to declare lifecycle scripts in package.json:

{
  "scripts": {
    "postinstall": "node scripts/postinstall.js"
  }
}

This script runs automatically with the same OS permissions as the developer who ran npm install. No confirmation prompt. No warning. Just execution.

Real-World Examples

| Package | Downloads before takedown | What it did | |---|---|---| | event-stream (2018) | Millions | Stole bitcoin wallet credentials | | ua-parser-js (2021) | 8M+/week | Crypto miner + credential stealer | | node-ipc (2022) | 1M+/week | Wiped files on Russian/Belarusian IPs | | colors / faker (2022) | Millions | Sabotaged by the author intentionally |

How to Protect Yourself

  • Audit before installingnpm audit and read changelogs
  • Check the package on npmjs.com — low download count + recent publish = red flag
  • Use a lock file — commit package-lock.json / yarn.lock and pin versions
  • Enable 2FA on your npm account
  • Use Socket.dev or Snyk in your CI pipeline to detect suspicious installs
  • Never blindly copy-paste install commands from README files, blog posts, or AI chatbots

Workshop Usage

This package is intentionally named dont-install-this-package so attendees understand the demo context before running anything. Use it to:

  1. Show the audience the postinstall hook in package.json
  2. Run npm install live on stage to trigger the banner
  3. Walk through what a real payload could look like
  4. Demo mitigation tools

License

MIT — use freely for educational purposes.