02.28.22

Gemini version available ♊︎

Microsoft GitHub Exposé — Part XVIII — The Story of NPM

Posted in Free/Libre Software, GPL, Microsoft, Security at 11:40 am by Dr. Roy Schestowitz

Series parts:

  1. Microsoft GitHub Exposé — Part I — Inside a Den of Corruption and Misogynists
  2. Microsoft GitHub Exposé — Part II — The Campaign Against GPL Compliance and War on Copyleft Enforcement
  3. Microsoft GitHub Exposé — Part III — A Story of Plagiarism and Likely Securities Fraud
  4. Microsoft GitHub Exposé — Part IV — Mr. MobileCoin: From Mono to Plagiarism… and to Unprecedented GPL Violations at GitHub (Microsoft)
  5. Microsoft GitHub Exposé — Part V — Why Nat Friedman is Leaving GitHub
  6. Microsoft GitHub Exposé — Part VI — The Media Has Mischaracterised Nat Friedman’s Departure (Effective Now)
  7. Microsoft GitHub Exposé — Part VII — Nat Friedman, as GitHub CEO, Had a Plan of Defrauding Microsoft Shareholders
  8. Microsoft GitHub Exposé — Part VIII — Mr. Graveley’s Long Career Serving Microsoft’s Agenda (Before Hiring by Microsoft to Work on GitHub’s GPL Violations Machine)
  9. Microsoft GitHub Exposé — Part IX — Microsoft’s Chief Architect of GitHub Copilot Sought to be Arrested One Day After Techrights Article About Him
  10. Microsoft GitHub Exposé — Part X — Connections to the Mass Surveillance Industry (and the Surveillance State)
  11. Microsoft GitHub Exposé — Part XI — Violence Against Women
  12. Microsoft GitHub Exposé — Part XII — Life of Disorderly Conduct and Lust
  13. Microsoft GitHub Exposé — Part XIII — Nihilistic Death Cults With Substance Abuse and Sick Kinks
  14. Microsoft GitHub Exposé — Part XIV — Gaslighting Victims of Sexual Abuse and Violence
  15. Microsoft GitHub Exposé — Part XV — Cover-Up and Defamation
  16. Microsoft GitHub Exposé — Part XVI — The Attack on the Autonomy of Free Software Carries on
  17. Microsoft GitHub Exposé — Part XVII — Backsliding Into 1990s-Style Digital Slavery by Microsoft
  18. YOU ARE HERE ☞ The Story of NPM

GitHub: Where everything comes to die

Summary: The time seems right to resume this series, more so now that the Software Freedom Conservancy (SFC) [1, 2] and the Free Software Foundation (FSF) [1, 2, 3] grapple with the legal chaos caused by Team Mono inside Microsoft’s GitHub

A few years ago Microsoft bought NPM through its tentacle (mind the pun!) known as GitHub, in effect controlling more of the “supply chain” while hiring NSA veterans to run GitHub. This is a major security fiasco, a blunder in the making. Remember that when NPM ships malware the media rushes to blame the victims (like GNU/Linux users who receive that malware) instead of blaming the company responsible for actually sending that malware. Meanwhile, with GitHub Actions, many projects have foolishly outsourced the build process to “the clown” — in essence losing control of the compiler, instead trusting Microsoft and the NSA to manage that for them. It’s a sort of subsidy (selling CPU cycles) in exchange for control. Who by? Microsoft.

It has been months since we published the arrest record of Balabhadra (Alex) Graveley, whom we’ll leave outside it for a moment. He has court hearings and it’s possible he’ll be behind bars for a very long time. Those who were connected to him or defended him have long regretted it, possibly left their job, or “resigned” to avoid public embarrassment. We’ll come back to them later in this series and maybe we’ll have some updates from the courts.

“Some sites announced that Microsoft had taken over NPM and that was it (they actually said “GitHub” to perpetuate the illusion that Microsoft and GitHub are separate entities).”As the state of journalism in general (not just on technical matters) is so appalling these days little actual investigation of the NPM takeover was conducted. Some sites announced that Microsoft had taken over NPM and that was it (they actually said “GitHub” to perpetuate the illusion that Microsoft and GitHub are separate entities).

A rather reliable source recently told us a few details about the NPM story; “I remember all that drama with TJ Holowaychuk leaving the NPM scene,” our sourced recalled. “Wondering if that was related to Microsoft acquiring NPM.”

What shocked me most at the time was the lack of press coverage or scrutiny. Like nothing actually happened! Or like it didn’t matter…

“A bit off topic but that whole event seemed strange,” our source noted. The motivation is still barely known or explored; it’s shrouded in mystery as there’s no actual business model other than taking control of people. NPM wasn’t about making money; the same was true about GitHub. The way we see it, Microsoft is trying to swallow all the code and repos as well (NPM). It’s about control.

“The way we saw it (at the time of the acquisition), NPM is a piece for Microsoft’s “supply chain” plan, which also helps the NSA’s objectives, especially at times of conflict.”TJ’s [Holowaychuk] departure “was a pretty big event,” our source explained. “At that point in time TJ had written like 60% of the node.js projects that everyone uses. Mostly by himself. Some people thought he wasn’t a real person for a long time. Like they thought he was a collective…”

The way we saw it (at the time of the acquisition), NPM is a piece for Microsoft’s “supply chain” plan, which also helps the NSA’s objectives, especially at times of conflict. They can remotely take over all sorts of things. Remember that they hired from the NSA for GitHub management. This is all very well documented. What sort of company would do this??? Heck, they can even plant back doors in downloads, custom-made or tailored to specific downloaders, never mind the above-mentioned compilation process. Why would anyone trust Microsoft after the NSA leaks? They work hand-in-glove with the NSA on back doors.

“TJ is just a legend and influenced my personal coding style,” our source told us. “There was another issue with the guy who originally wrote node.js [...] He wrote it then quit [...] Joyent hired him…”

“Ryan Dahl apparently thinks writing node.js was a mistake [...] Interesting he’s also from Rochester or just went to school there [as Graveley] is from there [and] they’re about the same age…”

NPM was acquired by GitHub two years after the Microsoft acquisition. It was mentioned by Nat Friedman on 16 March 2020.

According to our source, TJ’s “complaints about node.js mostly seemed technical, but who knows…”

As a side note, it’s worth mentioning that node.js and OpenJS became a Microsoft infiltration vector inside the Linux Foundation, as noted in Techrights several times in the past.

Now that the FSF and SFC are writing a lot more about Copilot (see links in the summary above) we intend to revisit the topic, probably some time next Monday. Graveley will walk into the darkness or some prison cell while we’re left to pick up and grapple with the damage he and his "best friends" the Friedmans have caused.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Links 21/03/2023: Trisquel GNU/Linux 11.0 LTS

    Links for the day



  2. Back Doors Proponent Microsoft Infiltrates Panels That Write the Security Regulations, Press Fails to Point Out the Obvious

    Cult tactics and classic entryism serve Microsoft again, stacking the panels and basically writing policy (CISA). As an associate explained it, citing this new example, Stanford “neglects to point out the obvious fact that Microsoft is writing its own regulations.”



  3. IRC Proceedings: Monday, March 20, 2023

    IRC logs for Monday, March 20, 2023



  4. Links 20/03/2023: Curl 8.0.0/1 and CloudStack 4.18.0.0 LTS

    Links for the day



  5. Standard Life (Phoenix Group Holdings): Three Weeks to Merely Start Investigating Pension Fraud (and Only After Repeated Reminders From the Fraud's Victims)

    As the phonecall above hopefully shows (or further elucidates), Standard Life leaves customers in a Kafkaesque situation, bouncing them from one person to another person without actually progressing on a fraud investigation



  6. Standard Life Paper Mills in Edinburgh

    Standard Life is issuing official-looking financial papers for companies that then use that paperwork to embezzle staff



  7. Pension Fraud Investigation Not a High Priority in Standard Life (Phoenix Group Holdings)

    The 'Open Source' company where I worked for nearly 12 years embezzled its staff; despite knowing that employees were subjected to fraud in Standard Life's name, it doesn't seem like Standard Life has bothered to investigate (it has been a fortnight already; no progress is reported by management at Standard Life)



  8. Links 20/03/2023: Tails 5.11 and EasyOS 5.1.1

    Links for the day



  9. Links 20/03/2023: Amazon Linux 2023 and Linux Kernel 6.3 RC3

    Links for the day



  10. IRC Proceedings: Sunday, March 19, 2023

    IRC logs for Sunday, March 19, 2023



  11. An Update on Sirius 'Open Source' Pensiongate: It's Looking Worse Than Ever

    It's starting to look more and more like pension providers in the UK, including some very major and large ones, are aiding criminals who steal money from their workers under the guise of "pensions"



  12. Services and Users TRApped in Telescreen-Running Apps

    TRApp, term that lends its name to this article, is short for "Telescreen-Running App". It sounds just like "trap". Any similarity is not purely coincidental.



  13. Links 19/03/2023: Release of Libreboot 20230319 and NATO Expanding

    Links for the day



  14. Great Things Brewing

    We've been very busy behind the scenes this past week; we expect some good publications ahead



  15. Links 19/03/2023: LLVM 16.0.0 and EasyOS Kirkstone 5.1 Releases

    Links for the day



  16. IRC Proceedings: Saturday, March 18, 2023

    IRC logs for Saturday, March 18, 2023



  17. Links 18/03/2023: Many HowTos, Several New Releases

    Links for the day



  18. Links 18/03/2023: Tor Browser 12.0.4 and Politics

    Links for the day



  19. Links 18/03/2023: Docker is Deleting Free Software Organisations

    Links for the day



  20. IRC Proceedings: Friday, March 17, 2023

    IRC logs for Friday, March 17, 2023



  21. New Talk: Richard Stallman Explains His Problem With Rust (Trademark Restrictions), Openwashing (Including Linux Kernel), Machine Learning, and the JavaScript Trap

    Richard Stallman's talk is now available above (skip to 18:20 to get to the talk; the volume was improved over time, corrected at the sender's end)



  22. Links 17/03/2023: CentOS Newsletter and News About 'Mr. UNIX' Ken Thompson Hopping on GNU/Linux

    Links for the day



  23. The European Patent Office's Central Staff Committee Explains the Situation at the EPO to the 'Yes Men' of António Campinos (Who is Stacking All the Panels)

    The EPO’s management is lying to staff (even right to their faces!) and it is actively obstructing attempts to step back into compliance with the law; elected staff representatives have produced detailed documents that explain the nature of some of the problems they’re facing



  24. Links 17/03/2023: Linux 6.2.7 and LibreSSL 3.7.1 Released

    Links for the day



  25. GNU/Linux in Honduras: 10% Market Share? (Updated)

    As per the latest statistics



  26. Links 17/03/2023: Update on John Deere’s Ongoing GPL Violations and PyTorch 2.0

    Links for the day



  27. IRC Proceedings: Thursday, March 16, 2023

    IRC logs for Thursday, March 16, 2023



  28. RMS: A Tour of Malicious Software, With a Typical Cell Phone as Example

    Tonight in Europe or this afternoon in America Richard M. Stallman (RMS), who turned 70 yesterday, gives a talk



  29. Skyfall for Sirius 'Open Source': A Second Pension Provider Starts to Investigate Serious (Sirius) Abuses

    Further to yesterday's update on Sirius ‘Open Source’ and its “Pensiongate” we can gladly report some progress following escalation to management; this is about tech and “Open Source” employees facing abuse at work, even subjected to crimes



  30. NOW: Pensions Lying, Obstructing and Gaslighting Clients After Months of Lies, Delays, and Cover-up (Amid Pension Fraud)

    The “Pensiongate” of Sirius ‘Open Source’ (the company which embezzled/robbed many workers for years) helps reveal the awful state of British pension providers, which are in effect enabling the embezzlement to carry on while lying to their clients


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts