Future of Package Updates on NPM

[aiko-chan-ai]

I am considering no longer updating and publishing this package on NPM.
The reason is that this package has been frequently impersonated to insert malicious code aimed at stealing user tokens.
Additionally, the package name is somewhat sensitive (a selfbot package).
Should I proceed with this plan? Users would then update the package via GitHub (which is more difficult) or continue updating through NPM (with a more noticeable warning).

I will keep this question open from version 3.4.0 until just before version 3.5.0 is released. In the meantime, I will still update patches on NPM.

Ref: #1237

[userandaname]

The reason is that this package has been frequently impersonated to insert malicious code aimed at stealing user tokens.

but wouldn't taking it off of npm fuel the fire either way, as the official copy wouldn't be available on npm, thus allowing for more impersonations of the package, and people could just reupload versions of the github downloadables onto npm that could have critical backdoors?

¯\_(ツ)_/¯

[aiko-chan-ai]

but wouldn't taking it off of npm fuel the fire either way, as the official copy wouldn't be available on npm, thus allowing for more impersonations of the package, and people could just reupload versions of the github downloadables onto npm that could have critical backdoors?

In fact, I can only mark it as deprecated/unsupported, but I cannot remove it from the npm registry, and I have no intention of removing it.

[userandaname]

In fact, I can only mark it as deprecated/unsupported, but I cannot remove it from the npm registry, and I have no intention of removing it.

ah okay, didn't know that you can't remove packages from the npm registry

[tizu69]

In fact, I can only mark it as deprecated/unsupported, but I cannot remove it from the npm registry, and I have no intention of removing it.

ah okay, didn't know that you can't remove packages from the npm registry

fyi, you can, but only within 72 hours or so.

[dank074]

Don't think you should stop updating on NPM. Other packages have had the same problem with people creating fake copies with included malware and distributing it with a similar name, it is just something that happens unfortunately. Users just need to be more vigilant and ensure they are installing the correct package.

[aiko-chan-ai]

;_;

[dank074]

Think it is a good idea to include a big warning about impersonating packages in the readme though

[skyslovt]

I believe it would be better to change the package name, such as replacing 'selfbot' with another term. Some users mistakenly think this is a traditional selfbot that they can simply install and start using. I'm considering alternatives like 'discord.js-auto-v13' or 'discord.js-user-v13.

[hexxt-git]

this package is awesome please keep going