Empty NPM package '-' has over 700k downloads

&gt; Developers should exercise caution when typing npm commands in the terminal when especially when using flags.<p>The double ”when” is quite funny here, given the nature of npm problem described in the article.

The &quot;-&quot; package: <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;-" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;-</a>

And removing it will probably break half the internet. NPM is a nutshell.

Where there&#x27;s user input there&#x27;s cybersquatting.

A simple logic of NOT “-“ would have blocked any reintroduction&#x2F;upgrade of unintended “-“ package, coupled with a inertiazed package replacing the accidentally-introduced “-“ package.<p>Yeah, those who depend on the original but accidental “-“ package for its functionally should suffer any consequential breakage that may have resulted from it.<p>*insert*fake*tear*here*

So why would anyone make a package like that?

What even does this package do? I can&#x27;t understand how to get to the source and the readme is vague.

&gt; A mysterious, one-letter npm package named &quot;-&quot; sitting on the registry since 2020 has received over 700,000 downloads.<p>...then a few lines further down the article:<p>&gt; An npm package called &quot;-&quot; has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.<p>Kinda frustrating that the same information is being written twice imo... And then two ads in a row follow that

What would happen if a newer version gets released sometime with some added malware functionality?

Mistyped, incorrect, and copypasted shell commands which are incorrectly using the minus character.

Also 56 dependents

can a newer version be used to introduce malicious code for those downloading or the dependents?