Thousands of Fake Packages Flood Npm Registry in Major Attack - Here's What We Know
Companies Mentioned
Why It Matters
The flood of dormant packages expands the supply‑chain attack surface, allowing attackers to push malicious code to a large developer base, and the token‑gaming undermines confidence in open‑source incentive models, prompting tighter registry oversight.
Summary
Over 43,000 spam packages were uploaded to npm over a nearly two‑year period, accounting for roughly 1% of the registry and representing a coordinated campaign dubbed “IndonesianFoods.” Endor Labs traced the effort to at least 11 user accounts that generated package names using Indonesian personal and food terms, creating dormant modules that simply accrue downloads. While most packages are inert, some contain worm‑like scripts and many include TEA.yaml files tied to the TEA token reward system, hinting at future malicious commits or a scheme to inflate token earnings.
Thousands of fake packages flood npm registry in major attack - here's what we know
Comments
Want to join the conversation?
Loading comments...