"A coordinated token farming campaign continues to flood the open source npm registry, with tens of thousands of infected packages created almost daily to steal tokens from unsuspecting developers using the Tea Protocol to reward coding work. On Thursday, researchers at Amazon said there were over 150,000 packages in the campaign. But in an interview on Friday, an executive at software supply chain management provider Sonatype, which wrote about the campaign in April 2024, told CSO that number has now grown to 153,000."
"And while this payload merely steals tokens, other threat actors are paying attention, he predicted. "I'm sure somebody out there in the world is looking at this massively replicating worm and wondering if they can ride that, not just to get the Tea tokens but to put some actual malware in there, because if it's replicating that fast, why wouldn't you?""
"With the swollen numbers reported this week, Amazon researchers wrote that it's "one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security." This campaign is just the latest way threat actors are taking advantage of security holes in a number of open source repositories, which runs the risk of damaging the reputation of sites like npm, PyPI and others."
Over 153,000 infected npm packages have been created in a token-farming campaign designed to steal Tea Protocol tokens from developers. The campaign has rapidly grown from roughly 15,000 packages about a year ago to well over 150,000, creating one of the largest package flooding incidents in open source registry history. The payload currently extracts tokens but the replication scale makes it attractive to other threat actors who could insert malware. The infestation damages trust in upstream open-source supply chains and threatens the reputations of registries such as npm and PyPI while highlighting major supply-chain security gaps.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]