npm publish failed with Package name triggered spam detection

They are trying to block "typo-squatting" and new names that could be confused for existing packages. Since there is a "node-template" package, it makes sense that adding a dash and a year ("2017", "2018") would score high for getting blocked. I'd think node-template-18 would score pretty high too, but using any existing name with a dash and a recent year seems almost guaranteed to get blocked.

Here's a post from NPM about why they are blocking some names as spam: https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry?_ga=2.194615085.1031845233.1547144890-1639781483.1547144890

According to that they were using Smyte for spam detection. Smyte shutoff their APIs 30 minutes after announcing their acquisition by Twitter (see NPM's reaction!), so maybe they're using something else now.

I don't see anything specific about how they determine what to block, but based on the comments above and my own experience any existing package name combined with dashes and numbers seems to be suspect. Exactly what will trigger getting blocked isn't something they are likely to share (and is likely to change over time).