Display this page as deprecated on npm

[peabnuts123]

This package shadows a package in the NodeJS standard lib. Seeing as it is also 5+ years old with no changes and an essentially empty codebase, it should be marked as deprecated. Changed the README to display a message saying people need not install this package. Also, as per #10, changed the license attribute to match the new format.

Would like to see this published to npm for the benefit of people misunderstanding the platform.

[leonadler]

This was removed from npm and replaced with the "security holder module" - why add it as a dependency?

[peabnuts123]

Admittedly this was a somewhat underhanded attempt for me to demonstrate how one could fairly easily create a worm in npm. This package gets a lot of accidental installs. My old peabnuts123s-evil-module used to install itself as a primary dependency upon being installed as any level of subdependency. It did nothing malicious, just installed itself as a proof of concept around the security of npm and JavaScript's dependency culture. My package got cleaned up in a sweep npm did of their repository sometime last year due to the way it was linked to some other packages and I was unable to get it reinstated.

If you would be interested in allowing me to recreate this demonstration I could create another package and update my Pull Request. I am very concerned that somebody with malicious intent will pull off something like this and compromise hundreds of thousands of peoples packages, computers, networks etc. at some point in the future. Feel free to message me on Twitter @peabnuts123 or email me on [email protected] if you want me to talk you through more of this. I gave a presentation at a conference, "Kiwicon", in 2016 to around ~2k people on this and would love to raise awareness further, given the opportunity. Thanks!