Willow (GHOST): `--frozen-lockfile`, `--ignore-scripts`, `--fix-lockfile`, and `--ignore-workspace-root-check` all contain one JS file from the same author

See full post

Willow (GHOST) willow.sh · 15h
Did you know there are at least 139 packages on npm that start with a hyphen/dash? Curiously some of them look like CLI flags! --frozen-lockfile --fix-lockfile --legacy-peer-deps --ignore-scripts --ignore-workspace-root-check You've also got the package with a single dash for a name `-`

View on Bluesky Show all post labels
Willow (GHOST) willow.sh · 15h
I compiled a list here if anyone is interested, although there may be more as I'm missing some packuments from my replica cache! gist.github.com/ghostdevv/db...
packages that start with a hyphen/dash

packages that start with a hyphen/dash. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

View on Bluesky Show all post labels
Willow (GHOST) willow.sh
`--frozen-lockfile`, `--ignore-scripts`, `--fix-lockfile`, and `--ignore-workspace-root-check` all contain one JS file from the same author - it's pretty incredible stuff actually
Feb 6, 2026 12:54
0 reposts 0 quotes 0 likes

View on Bluesky Download image Show all post labels
Willow (GHOST) willow.sh · 15h
--legacy-peer-deps was pulled by npm as it did infact contain malicious code, good spot @lukewarlow.dev bsky.app/profile/luke...
- Luke lukewarlow.dev · 15h
  Replying to Willow (GHOST)
  Some of these presumably must be malware designed to trick people?
View on Bluesky Show all post labels
Willow (GHOST) willow.sh · 15h
Maybe there are some more interesting ones out there? Just please don't install them in case they are malware! 😄

View on Bluesky Show all post labels

An unhandled error has occurred. Reload 🗙

packages that start with a hyphen/dash