A threat actor has published tens of thousands of malicious NPM packages that contain a self-replicating worm, security researchers warn.
Unlike recent supply chain attacks on NPM, the code used in this campaign does not steal credentials or data, but abuses the ecosystem for spam.
SourceCodeRed, which calls the malware ‘the IndonesianFoods worm’, has identified over 43,900 malicious NPM packages associated with 11 accounts, all named using a scheme involving Indonesian names and foods.
The malicious code was designed to generate random names, modify the package.json files to make the packages public and add random version numbers, and publish the packages to the NPM registry.
According to SourceCodeRed, the code repeats the same steps in an infinite loop, publishing a new package every 7 seconds, constantly spamming the NPM registry.
“This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages. The malware disguises itself as a legitimate Next.js application to avoid detection,” SourceCodeRed notes.
The activity was also observed by JFrog, which identified over 80,000 self-replicating packages named using a similar random name generation scheme. In addition to the custom wordlist that includes names and foods, the dictionary also uses adjectives, colors, and animal names.
According to JFrog, which named the campaign Big Red, the malware reuses a victim user’s stored NPM credentials to publish newly generated packages to the registry at a fast pace.
“The result is a tight, fully automated loop that can flood the npm ecosystem with large numbers of superficially legitimate packages, all derived from the same code template and differentiated only by randomized metadata,” JFrog notes.
The 80,000 malicious packages were published across 18 user accounts and contain only the self-replicating publishing logic.
The exact purpose of the campaign remains unclear, but JFrog hypothesizes that it could be “a dry run for a future campaign where the same infrastructure and naming scheme could be reused to deliver real malicious payloads for the campaigns with self-replicated code”.
Related: Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
Related: NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
