A self-propagating worm, dubbed 'IndonesianFoods,' is spamming the npm registry by automatically generating and publishing new packages at an alarming rate. Using a naming convention that combines random Indonesian names and food terms, the campaign has created over 100,000 packages, with the count growing exponentially. While the current packages contain no overtly malicious code, security researchers warn that the sheer scale of the operation could be a prelude to a more harmful supply-chain attack.
The worm's primary function appears to be replication, publishing a new package every seven seconds to overwhelm the ecosystem. This automation has already disrupted security scanning services, with one firm reporting 72,000 new vulnerability advisories generated in a single day. Analysis suggests a financial motive, as many packages contain configuration files for the TEA Protocol, a system that rewards open-source contributions with cryptocurrency tokens.
This incident is part of a growing trend where attackers use automation to exploit open-source platforms. Researchers note the campaign began subtly two years ago and has progressively incorporated more sophisticated tactics. To mitigate such threats, developers are advised to pin dependency versions, monitor for abnormal publishing activity, and enforce strict digital signature validation. The event underscores the vulnerability of software ecosystems to large-scale, automated spam attacks.
Read more...