Summary
In late December 2023 (widely reported early January 2024), npm user PatrickJS (gdi2290) published a troll package named 'everything' that, via roughly 3000 chunked sub-packages, declared a dependency on every public package in the npm registry. Installing it triggered a denial of service through storage exhaustion and broken build pipelines. Because a package depended on by others cannot be unpublished, this registry-wide dependency web temporarily blocked many maintainers from removing their own packages until GitHub/npm intervened.
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-X223-P2GF-V735
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- HIGHGHSA-72GW-MP4G-V24J
Multer vulnerable to Denial of Service via deeply nested field names
- MEDIUMGHSA-J543-4VMF-QM7V
pypdf: Possible large memory usage for form XObjects during text extraction
- HIGHGHSA-5W86-C3RQ-VJJ7
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length
- MEDIUMGHSA-6V5V-WF23-FMFQ
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
- HIGHGHSA-W5FM-68J4-FPC4
File Browser has a DoS Vulnerability via Public Login API