Security researchers are raising the alarm about a massive, coordinated spam attack that has overwhelmed the npm registry, the world’s largest storehouse for JavaScript code. Since early 2024, tens of thousands of bogus software packages have been uploaded in an automated campaign that one researcher dubbed the “IndonesianFoods Worm.”

This attack is different from typical cybersecurity threats. Instead of trying to steal data or plant viruses on developers’ computers, its main goal seems to be flooding the npm system with junk. Security firm Endor Labs, along with researcher Paul McCarty from SourceCodeRED, tracked the operation, which has been quietly building momentum for nearly two years. McCarty’s analysis revealed that a staggering 67,579 fake packages have been published so far.

The packages are named using a strange pattern, often relying on Indonesian names and food terms, which is what earned the campaign its nickname. All of these bogus packages are designed to look like legitimate Next.js projects, a popular web development tool.

How the ‘Worm’ Spreads Without Being Noticed

What makes this attack so worrying is its clever “worm-like” method of spreading. However, it comes with a major twist: the malicious code doesn’t run automatically.

In a typical supply chain attack, hackers hide malicious code in “postinstall” scripts, which automatically run as soon as a developer installs a package. Security scanners are built to catch this. The IndonesianFoods worm outsmarts this by hiding its code in a separate file, often named auto.js or publishScript.js. This file does absolutely nothing until a person manually types a command like node auto.js to run it.

This manual trigger is the attack’s greatest defense. Because nothing harmful happens on installation, automated security scanners look at the package, find no threat, and give it a passing grade.

The big question is, why would any developer manually run a random script? Researchers aren’t entirely sure, but they have several theories. Attackers could be planning a social engineering campaign, writing fake blog posts or tutorials that instruct users to run the script to “complete a setup” or “fix a build error.” Another possibility is that the code targets automated build systems in companies (known as CI/CD pipelines) that might be set up to run any JavaScript file in a directory.

An Infinite Loop of Junk

When an unsuspecting victim does run the script, it kicks off an unstoppable, infinite loop. The script is essentially a self-publishing machine.

First, it modifies the package’s settings file (package.json) to remove the line that keeps it private. This makes the package public and ready to be uploaded.

Next, it uses an internal dictionary of words to generate a new, random package name (like gula-dao or arts-dao) and assigns it a random version number. This is done to get around npm’s rules that block duplicate packages.

Finally, the script automatically runs the npm publish command, uploading the new spam package to the npm registry. The whole process then repeats itself, pushing out a new fake package every 7 to 10 seconds. At that rate, the worm can publish over 700 packages an hour, or nearly 17,000 every single day.

The Real Motive: Farming for Crypto

While the attack looks like simple vandalism, researchers at Endor Labs have uncovered a clear financial motive. This campaign appears to be a massive, automated effort to farm cryptocurrency by abusing a system called the Tea protocol.

The Tea protocol is a decentralized program designed to reward open-source software developers for their contributions. The more a project is used and depended on, the higher its “impact score,” and the more TEA tokens (a form of cryptocurrency) its developers can earn.

The attackers are gaming this system. By creating tens of thousands of packages that all list each other as dependencies, they are building a giant, fake network. This artificially inflates their impact score, tricking the Tea protocol into thinking they are responsible for a massive, important ecosystem of software. Researchers found files inside the spam packages that link to five different TEA accounts, all set up to collect the rewards.

A New Kind of Supply Chain Danger

This attack highlights a serious blind spot in the software supply chain. Even though the packages don’t steal passwords, they cause real harm.

• They pollute the registry: Developers searching for real tools are now forced to sift through mountains of junk, slowing down development.
• They waste resources: The sheer volume of packages strains npm’s infrastructure and bandwidth.
• They create risk: A developer could accidentally install one of these packages, and while they are dormant now, the attackers could update them with truly malicious code at any time.

Garrett Calpouzos, a researcher at Sonatype, noted that while the attack isn’t technically complex, its “automation and scale are escalating at an alarming rate.” It proves how easy it is to disrupt the world’s largest software supply chain by weaponizing its open nature.

The Clean-Up Effort

In response to the findings, GitHub (which owns npm) took action. A spokesperson confirmed that the company has removed the malicious packages and disabled the accounts involved for violating its acceptable use policies.

GitHub stated that it uses a combination of machine learning and manual reviews to detect and remove malicious content, and it encourages the developer community to report any abuse or spam they find.