Bonum Certa Men Certa
The EPO is Run by Dictators, Elected Staff Representatives Are Left Out of Key Consultations | [Meme] Munich Agreement

Microsoft GitHub Exposé — Part XVIII — The Story of NPM

Series parts:

  1. Microsoft GitHub Exposé — Part I — Inside a Den of Corruption and Misogynists
  2. Microsoft GitHub Exposé — Part II — The Campaign Against GPL Compliance and War on Copyleft Enforcement
  3. Microsoft GitHub Exposé — Part III — A Story of Plagiarism and Likely Securities Fraud
  4. Microsoft GitHub Exposé — Part IV — Mr. MobileCoin: From Mono to Plagiarism... and to Unprecedented GPL Violations at GitHub (Microsoft)
  5. Microsoft GitHub Exposé — Part V — Why Nat Friedman is Leaving GitHub


  6. Microsoft GitHub Exposé — Part VI — The Media Has Mischaracterised Nat Friedman's Departure (Effective Now)
  7. Microsoft GitHub Exposé — Part VII — Nat Friedman, as GitHub CEO, Had a Plan of Defrauding Microsoft Shareholders
  8. Microsoft GitHub Exposé — Part VIII — Mr. Graveley's Long Career Serving Microsoft's Agenda (Before Hiring by Microsoft to Work on GitHub's GPL Violations Machine)
  9. Microsoft GitHub Exposé — Part IX — Microsoft's Chief Architect of GitHub Copilot Sought to be Arrested One Day After Techrights Article About Him
  10. Microsoft GitHub Exposé — Part X — Connections to the Mass Surveillance Industry (and the Surveillance State)


  11. Microsoft GitHub Exposé — Part XI — Violence Against Women
  12. Microsoft GitHub Exposé — Part XII — Life of Disorderly Conduct and Lust
  13. Microsoft GitHub Exposé — Part XIII — Nihilistic Death Cults With Substance Abuse and Sick Kinks
  14. Microsoft GitHub Exposé — Part XIV — Gaslighting Victims of Sexual Abuse and Violence
  15. Microsoft GitHub Exposé — Part XV — Cover-Up and Defamation


  16. Microsoft GitHub Exposé — Part XVI — The Attack on the Autonomy of Free Software Carries on
  17. Microsoft GitHub Exposé — Part XVII — Backsliding Into 1990s-Style Digital Slavery by Microsoft
  18. YOU ARE HERE ☞ The Story of NPM


GitHub: Where everything comes to die



Summary: The time seems right to resume this series, more so now that the Software Freedom Conservancy (SFC) [1, 2] and the Free Software Foundation (FSF) [1, 2, 3] grapple with the legal chaos caused by Team Mono inside Microsoft's GitHub

A few years ago Microsoft bought NPM through its tentacle (mind the pun!) known as GitHub, in effect controlling more of the "supply chain" while hiring NSA veterans to run GitHub. This is a major security fiasco, a blunder in the making. Remember that when NPM ships malware the media rushes to blame the victims (like GNU/Linux users who receive that malware) instead of blaming the company responsible for actually sending that malware. Meanwhile, with GitHub Actions, many projects have foolishly outsourced the build process to "the clown" -- in essence losing control of the compiler, instead trusting Microsoft and the NSA to manage that for them. It's a sort of subsidy (selling CPU cycles) in exchange for control. Who by? Microsoft.

It has been months since we published the arrest record of Balabhadra (Alex) Graveley, whom we'll leave outside it for a moment. He has court hearings and it's possible he'll be behind bars for a very long time. Those who were connected to him or defended him have long regretted it, possibly left their job, or "resigned" to avoid public embarrassment. We'll come back to them later in this series and maybe we'll have some updates from the courts.

"Some sites announced that Microsoft had taken over NPM and that was it (they actually said "GitHub" to perpetuate the illusion that Microsoft and GitHub are separate entities)."As the state of journalism in general (not just on technical matters) is so appalling these days little actual investigation of the NPM takeover was conducted. Some sites announced that Microsoft had taken over NPM and that was it (they actually said "GitHub" to perpetuate the illusion that Microsoft and GitHub are separate entities).

A rather reliable source recently told us a few details about the NPM story; "I remember all that drama with TJ Holowaychuk leaving the NPM scene," our sourced recalled. "Wondering if that was related to Microsoft acquiring NPM."

What shocked me most at the time was the lack of press coverage or scrutiny. Like nothing actually happened! Or like it didn't matter...

"A bit off topic but that whole event seemed strange," our source noted. The motivation is still barely known or explored; it's shrouded in mystery as there's no actual business model other than taking control of people. NPM wasn't about making money; the same was true about GitHub. The way we see it, Microsoft is trying to swallow all the code and repos as well (NPM). It's about control.

"The way we saw it (at the time of the acquisition), NPM is a piece for Microsoft's "supply chain" plan, which also helps the NSA's objectives, especially at times of conflict."TJ's [Holowaychuk] departure "was a pretty big event," our source explained. "At that point in time TJ had written like 60% of the node.js projects that everyone uses. Mostly by himself. Some people thought he wasn't a real person for a long time. Like they thought he was a collective..."

The way we saw it (at the time of the acquisition), NPM is a piece for Microsoft's "supply chain" plan, which also helps the NSA's objectives, especially at times of conflict. They can remotely take over all sorts of things. Remember that they hired from the NSA for GitHub management. This is all very well documented. What sort of company would do this??? Heck, they can even plant back doors in downloads, custom-made or tailored to specific downloaders, never mind the above-mentioned compilation process. Why would anyone trust Microsoft after the NSA leaks? They work hand-in-glove with the NSA on back doors.

"TJ is just a legend and influenced my personal coding style," our source told us. "There was another issue with the guy who originally wrote node.js [...] He wrote it then quit [...] Joyent hired him..."

"Ryan Dahl apparently thinks writing node.js was a mistake [...] Interesting he's also from Rochester or just went to school there [as Graveley] is from there [and] they're about the same age..."

NPM was acquired by GitHub two years after the Microsoft acquisition. It was mentioned by Nat Friedman on 16 March 2020.

According to our source, TJ's "complaints about node.js mostly seemed technical, but who knows..."

As a side note, it's worth mentioning that node.js and OpenJS became a Microsoft infiltration vector inside the Linux Foundation, as noted in Techrights several times in the past.

Now that the FSF and SFC are writing a lot more about Copilot (see links in the summary above) we intend to revisit the topic, probably some time next Monday. Graveley will walk into the darkness or some prison cell while we're left to pick up and grapple with the damage he and his "best friends" the Friedmans have caused.

The EPO is Run by Dictators, Elected Staff Representatives Are Left Out of Key Consultations | [Meme] Munich Agreement

Recent Techrights' Posts

Cannot Speak About IBM Wrongdoing or Jobs Being Sent Overseas (Lower Salaries)
IBM has long attacked the media, the whistleblowers, and even online forums
European Patent Office (EPO) Series: The CIA-Funded Centre-Left in Portugal
In the political turmoil which followed the fall of the old regime, the communists seemed to be acquiring a dominant position and there was a very real risk that Portugal could end up aligned with the Eastern Bloc if they were not stopped
Yesterday Afternoon The Register MS Published a Fake Article That Says "AI" 31 Times Because It Got Paid to Do This
What will happen when all those loans for slop (Ponzi scheme) stop and companies' marketing budgets - which include media bribes for hype campaigns - are no more?
Extraordinary General Meeting of Staff Union of the European Patent Office Ahead of Intensifying Strikes
We will, in the meantime, run a series about EPO corruption, which is now connected to corruption in Portugal and to corruption inside the EU
European Patent Office (EPO) Series: The Brotherhood of São Bento
The Palácio São Bento – or São Bento Palace – is the seat of the Portuguese National Assembly in Lisbon
 
Links 09/06/2026: "Smartphones Broke Dating" and "EU Open Source Strategy"
Links for the day
This Coming Friday
Richard Stallman (RMS)
Several Slopfarms That Target "Linux" Seem to Have Died
Or perished severely
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 08, 2026
IRC logs for Monday, June 08, 2026
Gemini Links 09/06/2026: Tanana River, Cassette Beasts, and Emacs
Links for the day
IBM's Quantum Bubble Already Deflating
Shares down over $55 in a few days
SLAPP Censorship - Part 101 Out of 200: Women Come to Realise They Don't Wish to Participate in Attacking Vulnerable Women
It relates to another topic that we shall be covering in the coming weeks
Links 08/06/2026: Proprietary Loaded With Security Holes, Armenia Defies Russia
Links for the day
Gemini Links 08/06/2026: NetHack 5.0.0 and Slop as Cannibalism
Links for the day
Links 08/06/2026: "Rising Emissions, Depleting Water" Due to the Pyramid Scheme of Slop; "Canada Needs to Rebuild Public Telecoms"
Links for the day
Brett Wilson LLP Reported to Police for Trying to Throw Large Parcel Into Our Home
This morning the campaign of intimidation...
GAFAM Bots Are Not "Good Bots"
There's nothing "Good" about Google
Links 08/06/2026: Criticism of Microsoft Trying to Criminalise Pointing Out Bug Doors, TikTok Now "Climate-Denying Social Media App"
Links for the day
Slop Has no ROI, an Economy Built on False Assumptions of Slop is Doomed
we're all going to suffer from this Ponzi scheme
The Cyber Show Has "Exciting Guests Coming" and a Gemini Capsule
"Site development is ongoing but now settling into a more stable form"
GNU/Linux Measured at 10% in Liechtenstein This Month
it seems like statCounter wrongly classified some GNU/Linux clients as Mac clients and is now issuing a correction
Communicating With Freedom - Part III - Quibble Envisioned as a New and Easily Accessible Communications Platform Based on LibreJS
the FSF really needs to become more active if not proactive in promoting those sorts of things
Clownflare Says Majority of Web Traffic is Now Bots, But the Net is Another Story
Bots are to Clownflare what lawsuits are to lawyers
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 07, 2026
IRC logs for Sunday, June 07, 2026
The Strikes at the European Patent Office Planned to Carry on for the Entire Year, Maybe Future Years as Well
There's a cautionary tale somewhere
Number of Patent Grants Has Plunged 23% Amid Strikes at the European Patent Office, Today There Are More Strikes (Strike Participation at Over 3,000, More Than Doubled Since Winter)
There is a growing crisis at the European Patent Office
E.E.E. Still Ongoing, the War on Copyleft/GPL Enables That
It also imperils security.
Gemini Links 07/06/2026: Lynx in the 'Modern' Web and 'Overcooked' (Plagiarised by LLM) Code
Links for the day
Links 07/06/2026: Java Needs Seawall, Egypt Blasted for Arbitrary Detention of Activists
Links for the day
SLAPP Censorship - Part 100 Out of 200: Interlude and Outline of the First Half, 3+ Months That Got Us Death Threats Connected to Brett Wilson LLP (and Cyber Attacks That Are Difficult to Attribute)
This week we plan to have a good time
Banning Things Versus Teaching People the Reason/s to Shun/Boycott Those Things
Prohibition has its limits
Links 07/06/2026: NASA's Mars Maven Declared Dead, Telegram Founder Pavel Durov Bemoans Russia's Crackdown
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, June 06, 2026
IRC logs for Saturday, June 06, 2026
Gemini Links 07/06/2026: How to Train Your Dragon (2010) and "Six Days of Play"
Links for the day