"The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual - It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors. The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods."
""What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack," McCarty said. "Even worse, these threat actors have been staging this for over two years." Some signs that point to a sustained, coordinated effort include the consistent naming patterns and the fact that the packages are published from a small network of over a dozen npm accounts."
A large-scale spam campaign has flooded the npm registry with tens of thousands of fake packages since early 2024. The campaign has published as many as 46,484 packages and persisted in the ecosystem for almost two years. The operation uses a worm-like propagation mechanism and a distinctive naming scheme based on Indonesian names and food terms, labeled IndonesianFoods. Many packages impersonate Next.js projects and contain a single JavaScript file (e.g., "auto.js" or "publishScript.js") that remains dormant until manually executed with a command like "node auto.js." The payload does not run automatically during installation or via postinstall hooks. Packages were published from a small network of over a dozen npm accounts, indicating coordination, and the apparent goal is to inundate the registry with random junk rather than to steal data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]