Download pumping: New npm deception technique for supply chain attacks

Learn how attackers exploit automated bot traffic as part of software supply chain attacks to artificially inflate download counters and mask malicious payloads as legitimate.

Downloads count metric

Following recent software supply chain attacks in which Tenable has seen attackers steal access tokens and secrets from developer workstations and CI/CD build servers, we started actively monitoring and analyzing npm packages uploaded to the public registry. Initially, we used download counts as a primary metric to determine package relevance.

During our monitoring, we identified a recurring anomaly: Brand new packages displayed unusually high download counts within hours of upload. Upon further investigation, we discovered that those packages also had many versions.

We found that packages whose content got updated frequently — usually by systematically uploading many new versions for the same package — had an unusually high downloads count.

We observed this technique being used deliberately in the wild for the first time in our analysis of the malicious “ambar-src” package, which reached more than 50,000 downloads in three days after attackers uploaded more than 700 versions. We named this technique “download pumping.”

Developers and security tools frequently use download counts as one of the metrics to assess a package's legitimacy. Since there is no simple method for determining if a package is legitimate, this artificial inflation effectively disguises the threat.

Analysis

In the “ambar-src” campaign, threat actors systematically published hundreds of benign versions of the package before introducing the actual malicious payload.

Because npm registers each interaction with these updates as traffic, this repetitive version-publishing process achieved two goals: 

• It heavily populated the package’s release history, creating a dense changelog that made the project appear actively maintained and historically legitimate to developers evaluating it.
• Every time a new version was published, automated systems like repository mirrors and analysis bots automatically downloaded it. Because the attackers systematically uploaded hundreds of versions, they artificially generated a massive wave of automated traffic, inflating the package's download count to more than 50,000 downloads in just three days.

From Tenable’s initial analysis, each version uploaded to the npm public registry typically receives between 100 and 150 downloads from automated systems. We verified that fact by running our proof-of-concept (POC) and analyzing the download count.

Download pumping PoC

To validate these mechanisms, we conducted a POC that replicated the download pumping behavior. We created test packages and systematically published a high volume of new versions to the npm registry. 

As the npm team stated in their blog, their download stats are naive by design, and they do not put much effort into filtering automated bot traffic. 

Thus, various repository mirrors, analytical bots, and automated security scanners immediately pulled each new version we uploaded. This validated that an attacker can predictably generate a baseline of downloads entirely through automated publishing, requiring zero organic user interaction.

During our POC, we wanted to see how different package properties might affect the automated download volume. We were working under the assumption that packages with postinstall scripts raise the interest level of security scanners.

Postinstall scripts are highly interesting to defenders because attackers frequently use these lifecycle hooks to automatically execute malicious payloads the moment a package is installed. Since this is a common malware-deployment technique, automated security scanners prioritize downloading and inspecting packages that have these scripts configured.

It is important to note that security scanners don’t have to download the package itself to determine if the npm package has a postinstall script configured, as this data is available in the package metadata in the public registry.

For those reasons, we believed that security scanners are more likely to download packages with install scripts configured, as they are more likely to contain malicious code. We deployed three distinct test packages to npm to test our assumption and observed the following results:

• Version bump only: 135.55 downloads per version
  This was our baseline test package. We didn’t add or remove any code when publishing a new version, nor did we make any other attempt to make the package look interesting. We simply bumped up the version number each time.
   
• Static postinstall script: 141.91 downloads per version
  This was our second test package, and the first one to have a postinstall script configured, but we didn’t change the script when publishing new versions.
   
• Dynamic postinstall script: 158.16 downloads per version
  In this third test package, we changed the postinstall script every time we bumped up the version. We did this as we believed that security scanners would be more interested in packages whose postinstall script changed, as it could be an indicator of compromise.
   

Graph showing how Tenable’s first POC software package experienced a spike in downloads when we started publishing new versions of it. 

This data demonstrates a straightforward cause-and-effect: automated infrastructure and security scanners naturally generate more download traffic for packages that exhibit interesting or actively changing behaviors.

Other package managers

While our research focused specifically on the npm ecosystem, the fundamental mechanics behind this technique are not unique to npm. Other package registries such as PyPI, RubyGems, and NuGet operate with similar automated infrastructure — mirrors, security scanners, and analysis bots — that pull new versions as they are published. Although the specific download amplification and trust metrics may differ across ecosystems, the core principle remains the same: where automated systems react to new publications, there is potential for abuse.

Real-world example of download pumping

As already stated, we first observed this technique being used in the wild during our analysis of the “ambar-src” package. 

Let’s look at this in more detail.

The attackers created an npm package containing utility code that can be used for legitimate purposes, such as MathUtils, StringUtils and Time functions. The attackers then systematically uploaded 428 legitimate versions of the package in just two hours. The attackers did this to gain initial credibility and attempt to lure developers to use their code.

Three days later, the attackers uploaded a new version containing malicious code. By this point, the attackers’ package already had more than 30,000 downloads.

In total, the attackers uploaded 724 versions including malicious and legitimate versions. This led to an artificially generated wave of automated traffic, resulting in around 50,000 downloads total.

This repetitive version-publishing process successfully inflated the package's download count and created a dense release history, making the project appear historically legitimate before the malware was deployed.

Past research on npm download manipulation

The manipulation of npm downloads metrics is not a new discovery. In a 2021 research blog, independent developer Andy Richardson showed how prone the npm registry’s download tracking is to abuse, by demonstrating that bad actors can send HTTP requests to a package’s tarball URL to fake downloads. 

Using automated tools, the researcher successfully drove nearly 1 million spoofed downloads in a single week for a completely unused package.

Tenable validated this technique still works in 2026. By sending HTTP requests directly to the URL of the package’s tarball, Tenable successfully inflated a test package’s metric to 17,000 downloads in approximately one hour, using nothing more than a standard office laptop and an internet connection.

However, this new version-flooding method we’ve identified offers two distinct advantages: 

• First, it provides amplification, because an attacker gains 100 to 150 automated downloads from repository mirrors for every single version they upload, rather than just one download per HTTP request.
• Second, systematically publishing these updates populates the release history, creating a dense version log that makes the package appear actively maintained and historically legitimate.

Mitigation of supply chain attacks

Organizations should not depend on download counts or version histories to determine if a package is legitimate. As we have demonstrated, attackers can easily fake these metrics using automated systems, creating a false sense of trust.

Instead, organizations should adopt common industry best practices, such as version pinning and implementing minimum package-age restrictions. 

These best practices are effective, as security vendors and the open-source community actively monitor these registries and typically detect malicious packages fairly quickly, within a couple of days at most. 

By enforcing a short waiting period of three to four days before allowing a new package or new version of an existing package into your environment, you allow the community time to identify these threats in the public registry. Once they are detected, they are removed from the public registry, eliminating the risk.

It is worth noting that npm is actively working to improve the security of its ecosystem. Recent efforts include adding support for package-age checks directly in the npm CLI, as well as strengthening authentication mechanisms for package maintainers to reduce the risk of account takeovers. 

While these are meaningful steps in the right direction, the reality is that no single measure can fully prevent malicious code from reaching the public registry. Supply chain attacks will continue to evolve, and organizations should also layer their own defenses rather than rely on the ecosystem alone.

For example, organizations can add extra protection for CI/CD build servers by deploying ephemeral CI/CD runners that are destroyed immediately after a single use to prevent malware from lingering. Operating those temporary runners without persistent storage makes it harder for threat actors to save their payloads or establish persistence across different build jobs.

Additionally, organizations should enforce least-privilege network access. Restricting outbound traffic makes it harder for malicious payloads running on the build server to reach the open internet to download second-stage malware payloads like “msinit.exe.”

So what?

Currently, developers are still being hacked through open-source supply chain techniques. The metrics developers and security tools depend on — download counts, version history, maintenance activity — are superficial indicators that, as we have demonstrated, an attacker can manipulat with minimal effort. But the problem runs deeper than fake signals.

Even when a package has a legitimate track record with a trusted maintainer behind it, that trust can be compromised overnight. Recent waves of account takeovers, social engineering campaigns, and credential theft targeting established maintainers have shown that a package's history is no guarantee of its current safety, even for legitimate packages. A new version published under a trusted name can carry a malicious payload, and the package manager has no built-in mechanism to catch it.

In practice, there is no deterministic method to determine if a new package is malicious or not. Therefore, each package you install and use must be treated like it could be malicious. The meaningful trust signal comes after the fact: from security vendors and the open-source community actively scanning and analyzing packages once they are published. 

This is exactly why enforcing minimum-age requirements on new packages and new versions is such an effective control. A short waiting period of a few days gives the security community time to detect, flag, and remove threats from the public registry before they ever reach your environment. Organizations that consume packages the moment they are published are accepting risk that is entirely avoidable.

Download pumping is ultimately just the initial entry vector for a much larger objective. Attackers using these techniques are generally aiming for one of two outcomes.

First, they aim to compromise build servers and CI/CD pipelines. By successfully injecting a malicious dependency into these systems, threat actors achieve “God-mode” over the infrastructure, which can lead to a full compromise of the entire production environment.

Second, and even worse, they aim to compromise the developers of highly popular packages. By hijacking a trusted maintainer’s environment, attackers can inject malicious code that thousands of downstream organizations automatically pull, creating a massive cascading effect across the broader software supply chain.

How Tenable can help defend against supply chain attacks

To defend against supply chain attacks, you need to know exactly what code is running in your environment. The Tenable One Exposure Management Platform and Tenable Nessus can help you build a complete asset inventory of the npm packages used across your organization.

Use the following Nessus plugins to build an inventory of the npm modules in your environment:

• 200172 - Node.js Modules Installed (Windows)
• 179440 - Node.js Modules Installed (macOS)
• 178772 - Node.js Modules Installed (Linux)

As Tenable continuously analyzes your environment, you get direct visibility into exactly what is installed on your systems. This visibility ensures you can quickly locate and remove compromised packages as soon as a new threat is discovered.

Beyond building a complete inventory, organizations also need to actively monitor their environments for live threats. Tenable One Cloud Exposure, a CNAPP, builds on this visibility by continuously monitoring your cloud environment to proactively detect these types of supply chain attacks in real time.

Together as part of the Tenable One Exposure Management Platform, these tools proactively detect supply chain attacks across your environments, ensuring your security teams can immediately identify and neutralize malicious activity before attackers can fully compromise your production systems.