Download pumping: New npm deception technique for supply chain attacks

Attackers manipulate package registries by publishing large numbers of benign versions to trigger automated mirrors and scanners to download packages, artificially inflating download counts and version history to appear legitimate; once trust is built they introduce malicious payloads (demonstrated by the ambar-src campaign). Tenable validated the technique with a proof-of-concept, measured roughly 100–150 automated downloads per uploaded version, showed the method works across ecosystems (npm, PyPI, RubyGems, NuGet), and recommends controls such as minimum package-age restrictions, version pinning, and hardened CI/CD practices.