Cybersecurity researchers are drawing attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024, likely as part of a financially motivated effort.
“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report.
NPM Registry Packages
So far, the coordinated campaign has published around 67,579 packages, according to SourceCodeRED security researcher Paul McCarty, who first identified the activity. Unusually, the campaign aims to overwhelm the npm registry with random packages instead of focusing on data theft or other malicious actions.
To add to the complexity, the attackers used a worm-like propagation mechanism and a distinctive naming pattern based on Indonesian names and food terms. This approach earned the operation the name IndonesianFoods. The fake packages pose as Next.js projects.
“What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack,” McCarty said. “Even worse, these threat actors have been staging this for over two years.”
Several signs indicate a sustained and coordinated effort, including consistent naming patterns and the use of a small network of more than a dozen npm accounts to publish the packages.
Each package contains the worm inside a single JavaScript file (for example, “auto.js” or “publishScript.js“). The script stays inactive until a user manually runs it with a command such as node auto.js. In other words, it doesn’t execute automatically during installation or through a “postinstall” hook.
No one knows exactly why someone would take the extra step of manually running JavaScript, but the existence of over 43,000 packages implies that either several victims executed the script by accident or curiosity, or the attackers triggered it themselves to flood the registry, said Henrik Plate, head of security research at Endor Labs, in a statement.
“We haven’t found evidence of a coordinated social engineering campaign, but the code was written with social engineering potential,” Raj added. “Possible victim scenarios include fake blog posts, tutorials, or README entries instructing users to run ‘node auto.js’ to ‘complete setup’ or ‘fix a build issue,’ [and] CI/CD pipeline build scripts with wildcards something like
node *.jsthat execute all JavaScript files.”
Raj also explained that the payload’s dormant design helps it evade automated detection. By requiring manual execution instead of “autorun,” attackers minimize the risk of being flagged by security scanners or sandboxing systems.
What it does?
When executed, the script performs a series of actions in an infinite loop. It first removes "private": true from the “package.json” file — a setting that normally prevents accidental publication of private repositories. Then, it generates a random package name using its internal dictionary and assigns it a random version number to bypass npm’s duplicate version detection.
In the final stage, the spam package uploads itself to npm using the npm publish command. The entire process repeats endlessly, pushing out a new package every 7 to 10 seconds. This rate equals about 12 packages per minute, 720 per hour, or roughly 17,000 per day.
“This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages,” McCarty said.
According to Endor Labs, this campaign forms part of a broader attack first identified by Phylum (now part of Veracode) and Sonatype in April 2024. That earlier effort involved publishing thousands of spam packages to conduct a “massive automated crypto farming campaign” by exploiting the Tea protocol.
“What makes this campaign particularly insidious is its worm-like spreading mechanism,” the researchers said. “Analysis of the ‘package.json’ files reveals that these spam packages do not exist in isolation; they reference each other as dependencies, creating a self-replicating network.”
As a result, when a user installs one of the spam packages, npm fetches the entire dependency tree, putting significant strain on registry bandwidth as dependencies multiply exponentially.
Endor Labs noted that some attacker-controlled packages, such as arts-dao and gula-dao, include a tea.yaml file listing five different TEA accounts. The Tea protocol, a decentralized framework, rewards open-source developers for their contributions.
Monetizing and Variants
This pattern suggests that the threat actors are monetizing their efforts by earning TEA tokens and artificially inflating their impact scores. Although investigators haven’t identified the culprits, evidence from source code and infrastructure points to individuals operating from Indonesia.
The application security company also discovered a second variant that uses a different naming scheme based on random English words (for example, able_crocodile-notthedevs).
These findings highlight a serious blind spot in existing security scanners. Most scanners monitor packages that execute malicious code during installation by tracking lifecycle hooks or detecting suspicious system calls.
“In this case, they found nothing because there was nothing to find at the time of installation,” Endor Labs said. “The sheer number of packages flagged in the current campaign shows that security scanners must analyze these signals in the future.”
Garrett Calpouzos, principal security researcher at Sonatype, described IndonesianFoods as a self-publishing worm operating at massive scale and overwhelming security data systems.
“The technical sophistication isn’t necessarily higher — interestingly, these packages do not appear to even try to infiltrate developer machines — it’s the automation and scale that are escalating at an alarming rate,” Calpouzos said.
“Each wave of these attacks weaponizes npm’s open nature in slightly new ways. This one may not steal credentials or inject code, but it still strains the ecosystem and proves how trivial it is to disrupt the world’s largest software supply chain. While the motivation is unclear, the implications are striking.”
When asked for comment, a GitHub Spokesperson said the company removed the packages in question from npm and remains committed to Detecting, Analyzing, and taking down packages and accounts that violate its policies.
“We have disabled malicious npm packages in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” the spokesperson added.
“We employ manual reviews and at-scale detections that use machine learning and constantly evolve to mitigate malicious usage of the platform. We also encourage customers and community members to report abuse and spam.”
Source: TheHackerNews
Read more at Impreza News
