Download Pumping: New npm Deception Technique Masks Malicious Packages With Inflated Download Counts
Attackers are artificially inflating npm download counts by publishing hundreds of benign package versions, using automated bot traffic to trick developers into trusting and installing malicious payloads.
Tenable researchers have identified a supply-chain deception technique called 'download pumping' that exploits the npm registry's naive download counting mechanism to artificially boost the apparent popularity of malicious packages. The attack works by publishing hundreds of benign versions of a package before introducing the actual malicious payload, triggering automatic downloads from npm mirrors, analysis bots, and security scanners that collectively generate tens of thousands of downloads within days.
The technique was discovered during routine monitoring of npm packages, where researchers noticed brand-new packages showing unusually high download counts hours after upload—correlated with an abnormally high number of package versions. The malicious package 'ambar-src' reached over 50,000 downloads in three days after attackers uploaded more than 700 versions, making it the first confirmed in-the-wild use of this deception.
Download counts are a commonly used heuristic by both developers and security tools to gauge a package's legitimacy. By systematically publishing many versions, attackers create a dense changelog that makes a project appear actively maintained and historically legitimate. As the npm team has acknowledged, download stats are designed to be naive and do not filter automated bot traffic, leaving the ecosystem vulnerable to this form of manipulation.
To validate the mechanism, Tenable conducted a proof-of-concept by creating test packages and systematically publishing new versions to npm. The results confirmed that each version typically receives between 100 and 150 downloads entirely from automated infrastructure—mirrors, analytical bots, and security scanners—with zero organic user interaction required. The study also found that packages with postinstall scripts, especially those whose scripts changed between versions, attracted slightly higher automated download counts due to increased interest from security scanners.
The technique is particularly dangerous because it weaponizes the very tools and processes designed to protect the software supply chain. Automated security scanners, repository mirrors, and CI/CD pipelines that download packages for analysis inadvertently contribute to the inflation of download counts, making the malicious packages appear more trustworthy to human developers and automated risk-scoring systems alike.
This discovery adds to a growing list of sophisticated attacks on package registries. While typosquatting and dependency confusion remain common, download pumping represents a new category of social engineering that exploits infrastructure behavior rather than user error. The npm registry's download count design makes mitigating this technique difficult without fundamental changes to how downloads are tracked and reported.
Tenable researchers recommend that developers stop relying solely on download counts as a trust metric and instead evaluate packages based on code review, community reputation, maintainer verification, and the use of security scanning tools that assess actual code behavior rather than metadata alone. Registry maintainers may need to implement download filtering or adopt reputation scoring that accounts for automated traffic inflation.