Did you know there are at least 139 packages on npm that start with a hyphen/dash? Curiously some of them look like CLI flags!
--frozen-lockfile
--fix-lockfile
--legacy-peer-deps
--ignore-scripts
--ignore-workspace-root-check
You've also got the package with a single dash for a name `-`
Some of these presumably must be malware designed to trick people?
Feb 6, 2026 12:41oh good point!! fortunately it's not a valid package name anymore
I was thinking to myself like, someone must have intentionally published these because it's not easy to just publish a package, but I didn't make that connection 🤦♀️
