Cybersecurity researchers are warning of a massive spam campaign that has flooded the npm registry with thousands of fake packages since early 2024, likely as part of a financially motivated effort.
“Packages were systematically exposed over an extended period of time, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” Endor Labs researchers Cris Staicu and Kiran Raj said in a report Tuesday.
According to SourceCodeRED security researcher Paul McCarty, who first reported the activity, this coordinated campaign has released 46,484 packages to date. The end goal is very unusual and is designed to flood the npm registry with random packages rather than focusing on data theft or other malicious activity.
The name Indonesian food is due to the nematode’s reproductive mechanism and the use of a unique naming scheme for newly created packaging that relies on Indonesian names and food terminology. The fake package pretends to be a Next.js project.
“What makes this threat particularly concerning is that the attackers created the NPM worm over time, rather than a single attack,” McCarty said. “What’s worse is that these attackers have been orchestrating this for over two years.”
Signs of a sustained, coordinated effort include consistent naming patterns and the fact that packages are published from a small network of a dozen npm accounts.
The worm resides within a single JavaScript file (such as “auto.js” or “publishScript.js”) within each package and remains dormant until the user manually runs the script using a command such as “node auto.js”. That is, it will not run automatically during installation or as part of a “post-install” hook.
It’s unclear why someone would go so far as to manually run JavaScript, but the presence of more than 43,000 packages suggests that either multiple victims ran the script by chance or out of curiosity, or that the attackers ran the script themselves and flooded the registry, Henrik Plate, head of security research at Endor Labs, told The Hacker News.
“Although we have found no evidence of a coordinated social engineering campaign, the code was written with the possibility of social engineering in mind, and possible damage scenarios include fake blog posts, tutorials, or README entries instructing users to run “node auto.js” to “complete setup” or “fix build issues.” [and] The CI/CD pipeline builds scripts with wildcards like node *.js that executes all JavaScript files,” Raj added.
“The payload dormancy design is intended to evade automatic detection by requiring manual execution rather than ‘auto-run,’ reducing the likelihood that attackers will be flagged by security scanners and sandboxing systems.”
When run manually, the script reads from the “package.json” file <"private": true> Starts a series of actions in an infinite loop, such as deleting the . This setting is typically used to prevent accidental publication of private repositories. It then uses an internal dictionary to create a random package name and assigns it a random version number to bypass npm’s duplicate version detection.
In the final stage, the spam package is uploaded to npm using the “npm publish” command. This step repeats in an infinite loop, pushing a new package every 7-10 seconds. This equates to approximately 12 packages per minute, 720 packages per hour, or 17,000 packages per day.
“This floods the NPM registry with junk packages, wasting infrastructure resources, polluting search results, and creating supply chain risks if developers accidentally install these malicious packages,” McCarty said.
According to Endor Labs, this campaign is part of an attack first reported by Phylum (now part of Veracode) and Sonatype in April 2024, which included the release of thousands of spam packages to exploit the Tea protocol to conduct a “large-scale automated cryptocurrency farming campaign.”
“What makes this campaign particularly insidious is its worm-like dissemination mechanism,” the researchers said. “Analysis of the ‘package.json’ files revealed that these spam packages do not exist in isolation, but reference each other as dependencies, creating a self-replicating network.”
So, when a user installs one of your spam packages, npm fetches the entire dependency tree, which puts a strain on your registry’s bandwidth as more dependencies are fetched exponentially.
According to Endor Labs, some of the attacker-controlled packages, such as arts-dao and gula-dao, contain tea.yaml files that list five different TEA accounts. The Tea Protocol is a decentralized framework that allows open source developers to earn rewards for their software contributions.
This may indicate that the attacker is using this campaign as a monetization vector by acquiring TEA tokens by artificially inflating impact scores. It is not clear who is behind this activity, but clues about the source code and infrastructure suggest it may be someone operating outside of Indonesia.
The application security firm also flagged a second variant (e.g. able_crocodile-notthedevs) that adopts a different naming scheme that includes random English words.
The findings also help highlight security blind spots in security scanners, which are known to flag packages that execute malicious code during installation by monitoring lifecycle hooks or detecting suspicious system calls.
“In this case, nothing was found because nothing was found during installation,” Endor Labs said. “The sheer number of packages reported in the current campaign indicates that security scanners will need to analyze these signals in the future.”
Garrett Calpouzos, principal security researcher at software supply chain security company Sonatype, characterizes IndonesiaFoods as a self-publishing worm that operates on a massive scale, overwhelming security data systems in the process.
“The technical sophistication isn’t necessarily high. Interestingly, these packages don’t even seem to be trying to get into developers’ machines. What’s escalating at an alarming rate is automation and scale,” Calpouzos said.
“Each wave of these attacks weaponizes the open nature of npm in slightly new ways. While this attack doesn’t steal credentials or inject code, it still strains the ecosystem and proves how easy it is to disrupt the world’s largest software supply chain. The motivation is unclear, but the impact is significant.”
When asked for comment, a GitHub spokesperson said the company has removed the offending packages from npm and is working to discover, analyze, and remove packages and accounts that violate its policies.
“We disabled the malicious npm package in accordance with GitHub’s Terms of Service, which prohibits posting content that directly supports illegal active attacks or malware campaigns that cause technical harm,” the spokesperson added.
“We employ manual reviews and detection at scale using machine learning, and are constantly evolving to mitigate malicious use of our platform. We also encourage our customers and community members to report abuse and spam.”
Source link
