Back in July 2025, I was prototyping a new project and decided to try out MikroORM. The docs said to run npx mikro-orm-esm for migrations. So I did.
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/mikro-orm-esmPackage doesn't exist, that’s strange! Then it hit me: what if someone had registered this? I would've seen:
Need to install the following packages:
mikro-orm-esm@1.0.0
Ok to proceed? (y)I would've just hit y. Everyone does. And nothing in that prompt tells you whether you're about to install malware or a legitimate tool.
The docs pointed to a non-existent package. How many other phantom package references are floating around? How many have already been claimed by attackers? I had to know.
So I started digging. Wrote scripts to scan npm for packages referenced in READMEs and scripts but never actually published. Cross-referenced thousands of npx invocations. Found dozens. Claimed 14 of them before anyone else could. Then S1ngularity happened, and the research got shelved.
Six months later, I was reminded of my research thanks to the community researching similar things. I finally checked the download counts: 121,539 downloads!
People had been hitting these non-existent commands thousands of times a week. For months. While the packages just sat there collecting data.
Six Months of Data
Downloads didn't stay flat. They grew. Started slow in late July. Recent peak hit 4,236 downloads in a single day (January 16th, 2026).
- Total: 121,539 downloads across 128 packages
- Weekly average: 3,903
- Peak day: 4,236 downloads (Jan 16, 2026)
Quick note on noise: every time you publish a new version of a package, it automatically gets 60-100 downloads from security scanners and mirrors. That's baseline noise per release. Packages with multiple versions accumulate noise quickly. Anything consistently above that threshold is real usage.
Notice the dip around late December? Holidays. Even phantom package downloads take Christmas off.
The Big Three
Three packages account for 79% of all downloads:
openapi-generator-cli: 48,356 downloads (actual package: @openapitools/openapi-generator-cli)cucumber-js: 32,110 downloads (actual package:@cucumber/cucumber)depcruise: 15,637 downloads (actual package:dependency-cruiser)
openapi-generator-cli saw 3,994 downloads in just the last 7 days. That's nearly 4,000 times someone tried to run a command that doesn't exist. In one week.
The Long Tail
The remaining packages with significant downloads:
jsdoc2md: 4,641 downloadsgrpc_tools_node_protoc: 4,518 downloadsvue-demi-switch: 1,166 downloadsstyleguidist: 805 downloadsmikro-orm-esm: 314 downloadspvbase64: 142 downloadscromwell: 106 downloads
Remember that 60-100 download baseline per version? A package with 3 versions could have 180-300 downloads of pure noise. fathym with 83 downloads total is likely all noise. But mikro-orm-esm with 314? Even accounting for multiple versions, that's real attempts.
styleguidist with 805 downloads means hundreds of real executions. Could be CI/CD hitting it repeatedly. Could be dozens of different developers. Either way, it's real usage of a package that shouldn't exist.
How We Found These
We run a full npm registry mirror at Aikido. Parsed every package.json and README across the entire registry. Extracted npx commands. Cross-referenced against what's actually registered. We also searched GitHub's code search to see how widely these phantom commands appear in the wild, in documentation, CI configs, scripts, anywhere developers might reference them.
Three data points for each package:
- Registry references: How many npm packages mention this command in their package.json or README
- GitHub results: How many code files or repos reference this command on GitHub
- Downloads: How many times people actually tried to run it
We claimed 14 in July 2025. When I picked the research back up in January, we expanded our analysis and found many more. At this point, we’ve claimed 128 packages in total.
Some patterns worth noting:
Major attack vectors (10K+ downloads): openapi-generator-cli, cucumber-js, and depcruise all show strong correlation between npm references, GitHub mentions, and actual downloads. These would be devastating in attacker hands.
High exposure, low conversion: styleguidist has 246 npm references and 286 GitHub results, but only 805 downloads. git-scripts-pre-push has 126 references but just 93 downloads. Visibility doesn't always equal execution.
Documentation-only vectors: mikro-orm-esm has zero npm package references but 80 GitHub results and 314 downloads. Proof that documentation alone can drive hundreds of installs, even without any npm ecosystem references.
Why This Is Dangerous
The attack is simple.
An attacker registers the package. Adds a postinstall script that exfiltrates environment variables: npm tokens, cloud credentials, API keys, whatever's lying around. Then waits.
At peak, that's potentially ~4,000 compromised machines per week. Developer workstations. CI servers. Build environments. Many are possibly running with credentials in environment variables. There’s no phishing needed. No supply chain compromise of existing packages. Just claim the name and wait for npx to bring victims to you.
When someone runs the command, they see:
Need to install the following packages:
openapi-generator-cli@1.0.0
Ok to proceed? (y)The prompt doesn't show who published it. Doesn't show when. Doesn't show whether it's what you're looking for. You might see this prompt regularly for legitimate tools. Muscle memory takes over, because we’re humans. You type y, as everybody else does. That's it. That's the entire attack.
We closed 128 gaps across multiple rounds. We’ve caught the worst cases. But there’s a long tail of thousands.
A Note on npm's Protections
npm does have typosquatting protection. When we tried to claim certain names, npm rejected them with similarity errors. Names like rsbuild, vuedoc, napi, t-ci were all too close to existing packages. That's good. It means npm is actively blocking obvious squatting attempts.
But these phantom commands aren't typos. They're names that were never registered in the first place. npm's similarity check doesn't catch those because there's nothing to be "similar to."
What You Should Do
Use npx --no-install
npx --no-install your-commandThis forces npx to only use local binaries. No registry fallback. If it's not installed, it fails. That's what you want.
Install CLI tools explicitly. Don't rely on npx to fetch them:
{
"devDependencies": {
"@openapitools/openapi-generator-cli": "^2.7.0"
}
}
Verify before running. Documentation says to run npx something? Check that the package actually exists first. Check it's the right one. Especially in CI/CD.
Claim your namespace. If you maintain a CLI tool, register the obvious aliases and misspellings. Cheap insurance against someone else doing it maliciously.
How to Tell If You're Affected
If you are an Aikido user, check your central feed and filter on malware issues. Any phantom package vulnerabilities will surface as a 100/100 critical issue in the feed. Aikido rescans your repos nightly, though we recommend triggering a full rescan as well.
If you are not yet an Aikido user, set up a free account and connect your repos. Our proprietary malware coverage is included in the free plan (no credit card required).
For future protection, consider using Aikido SafeChain (open source), a secure wrapper for npm, npx, yarn, and pnpm. SafeChain sits in your current workflows, intercepting package install commands and verifying packages against Aikido Intel (our open source threat intelligence) before they hit your machine. Stop threats at the gate.
The Math
121,539 downloads in seven months. 3,903 per week on average. Peak of 4,236 in a single day. 128 packages claimed total (14 in July, rest in January).
The npm ecosystem has millions of packages. Developers run npx commands thousands of times daily. The gap between "convenient default" and "arbitrary code execution" is one unclaimed package name.
Secure your software now
