npm install turboencabulator ============================ By George Mandis https://george.mand.is/2022/01/npm-install-turboencabulator Thursday, January 13th 2022 Someone recently shared this story with me about an open-source developer corrupting their popular open-source NPM libraries: - [bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/) The incident raises questions about the modern web ecosystem & development practices, the economics of open-source maintenance and whether or not you truly "own" the code you store on any of these platforms. But writing more in-depth on these topics is a topic best left to more serious blogs. After I read about it I wasted a little time looking up random NPM package names to see if they'd been claimed. Sometimes I peruse possibly names for future project. Other times I just look up funny words [or ideas](https://www.npmjs.com/package/real-birthday) to see if they exist. That last line of thought made me think about [turboencabulators](https://en.wikipedia.org/wiki/Turboencabulator). If you're not familiar, a turboencabulator is probably the longest-running jokes in modern engineering. It's description, from 1944, is inscrutable, jargon-laden nonsense for an impossible, non-existing machine. In other words: the perfect kind of thing to publish as an NPM package. The thought of someone installing a turboencabulator as a dependency made me laugh, and seemed too perfect. I assumed someone out there must've had the same idea and done it years ago. I looked it up, and much to my astonishment, it was available! I nabbed it quickly: - **NPM**: [npmjs.com/package/turboencabulator](https://www.npmjs.com/package/turboencabulator) - **GitHub**: [github.com/georgemandis/turboencabulator](https://github.com/georgemandis/turboencabulator) Success! Now anyone can add the turboencabulator as a dependency to their project: ```bash # Bash npm install turboencabulator # Yarn yarn add turboencabulator ``` **A strange turn:** Within couple days, when all that existed in the project was a README file, I noticed the package had already been downloaded from NPM over 30 times (?!?)   ![NPM Downloads](https://georgemandis.s3.us-west-1.amazonaws.com/npm-turboencabulator.jpg)   What is that all about? **My theory:** is that someone previously owned this package on NPM and other projects out there must have still had it listed as a dependency. I couldn't find any precise evidence of this yet, but it makes the most sense to me. That's terrifying for an entirely different set of reasons than what the article I linked to at the beginning raises. I explained NPM package dependencies to someone not precisely in the tech industry the other day and realized just how bananas the whole thing is. I'm honestly astonished it isn't a bigger mess. If the traffic persists for the next couple of weeks I might do more sleuthing and write a followup. It's only been a couple of days. Lastly, as you may have noticed, there _is_ actually code inside the turboencabulator. What does it actually... do? It does exactly what it says in the description. I can't explain it any more clearly than that. **P.S.** If you *are* the type to parse through the turboencabulator source and enjoyed deciphering it, you might enjoy contributing to another project of mine: [101 Hello Worlds](https://github.com/georgemandis/101-hello-worlds).