More than 150,000 malicious packages were published in the NPM registry as part of a recently uncovered spam campaign, Amazon reports.
The packages contain a self-replicating worm designed to generate and publish new packages in an infinite loop, constantly spamming the registry.
Previous reports on the activity identified roughly 80,000 packages published across 18 accounts, detailing the automated naming scheme used by the threat actor behind the campaign.
Now, Amazon says it identified twice as many packages between October 24 and November 12, all of which are linked to tea.xyz, a blockchain-based system that rewards open source developers with a native cryptocurrency token.
All packages lack legitimate functionality but contain a self-replicating routine to create more packages, modify their package.json files to make them public, and publish them to NPM.
They contain a configuration file ‘tea.yaml’, likely meant to boost visibility and page rank so that the threat actor could extract rewards from the tea.xyz protocol. The file links the packages to blockchain wallet addresses.
“Unlike traditional malware, these packages do not contain overtly malicious code. Instead, they exploit the tea.xyz reward mechanism by artificially inflating package metrics through automated replication and dependency chains, allowing threat actors to extract financial benefits from the open source community,” Amazon notes.
As JFrog and SourceCodeRed previously reported, the campaign, tracked as IndonesianFoods and Big Red, pollutes the NPM registry with low-quality, non-functional packages, wastes infrastructure resources, and introduces a risk for developers who download the code.
The campaign poses additional risks if other threat actors decide to copy it and start engaging in automated package generation for financial gain, targeting additional reward-based systems.
“This incident demonstrates both the evolving nature of threats where financial incentives drive registry pollution at unprecedented scale, and the critical importance of industry-community collaboration in defending the software supply chain,” Amazon notes.
Related: Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm
Related: GlassWorm Malware Returns to Open VSX, Emerges on GitHub
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
Related: Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack
