Cybersecurity experts have uncovered a massive spam and worm-like campaign that has flooded the npm registry with more than 67,000 fake packages since early 2024. This operation appears to be a financially motivated attack designed to exploit the open nature of the npm ecosystem.
According to a recent report from Endor Labs researchers Cris Staicu and Kiran Raj, the attackers have been systematically publishing thousands of junk npm packages over the past two years, overwhelming the registry with nonfunctional projects disguised as legitimate software.
The IndonesianFoods Worm: A New Form of npm Abuse
Security researcher Paul McCarty of SourceCodeRED first detected the campaign, revealing that it published at least 67,579 malicious packages under the guise of Next.js projects. The malware’s unusual propagation pattern and the repeated use of Indonesian names and food-related terms inspired researchers to nickname it the “IndonesianFoods Worm.”
McCarty noted that the attackers didn’t just launch a single strike but “took the time to engineer a full npm worm,” which has been spreading quietly for over two years.
How the Worm Operates
Each fake package includes a small JavaScript file (commonly named auto.js or publishScript.js) that remains inactive until executed manually by a developer using a command such as node auto.js.
Unlike typical npm malware, it does not trigger automatically upon installation, making detection difficult.
When run, the script performs an infinite loop of automated publishing:
- It removes
"private": truefrom the package.json file to allow publication. - Generates a random package name using an internal dictionary.
- Assigns a random version number to bypass npm’s duplicate detection.
- Uploads the spam package using
npm publish, repeating the process every 7–10 seconds.
This means the malware can generate 12 new packages per minute, approximately 720 per hour, or over 17,000 per day, leading to massive registry pollution.
The Goal Behind the Attack
Endor Labs and Sonatype (now part of Veracode) believe the operation is connected to a crypto farming campaign exploiting the Tea protocol, a decentralized platform that rewards developers for open-source contributions.
Some malicious packages such as arts-dao and gula-dao even include tea.yaml files listing multiple TEA accounts, suggesting that attackers aim to earn TEA tokens by artificially boosting their project impact scores.
Researchers also observed that many of these packages reference each other in their dependency trees, forming a self-replicating worm network.
When a single spam package is installed, npm recursively fetches all linked dependencies, further stressing registry bandwidth and server resources.
Why Security Tools Missed It
This campaign exposed a critical blind spot in many security scanners.
Because the malware requires manual execution instead of running during installation, it avoids detection by systems that only monitor post-install scripts or suspicious API calls.
As Endor Labs explained, “Security scanners detected nothing because there was nothing to detect during installation.”
Impact and Industry Response
The incident demonstrates how easy it is to weaponize npm’s openness and disrupt the global software supply chain.
Although the malware doesn’t directly infect developer systems or steal data, it clogs the registry, wastes infrastructure resources, and poses risks of accidental installation.
Sonatype researcher Garrett Calpouzos described the campaign as a “self-publishing npm worm of unprecedented scale,” adding that its “automation and volume, not sophistication, are what make it dangerous.”
GitHub, which manages npm, confirmed it has removed the malicious packages and disabled the associated accounts.
A company spokesperson stated, “We employ manual reviews and large-scale machine learning detections that evolve constantly to mitigate malicious use of the platform. We also encourage the community to report abuse and spam.”
This large-scale spam operation serves as a warning that open-source ecosystems remain vulnerable to novel forms of abuse where automation replaces exploitation, proving that disruption alone can be a powerful weapon.
