Security researchers have uncovered a massive, coordinated spam campaign that flooded the npm registry with over 43,000 malicious packages over nearly two years. Dubbed the “IndonesianFoods worm,” this operation highlights potential vulnerabilities in the widely used JavaScript package manager. These dormant packages, representing more than 1 percent of the entire npm registry, remained undetected for an extended period.
The alarming scale of this coordinated spam campaign was revealed by security researcher Paul McCarty. The IndonesianFoods worm operates through a sophisticated naming convention and a self-replicating mechanism, potentially exposing countless developers and their projects to risks. The campaign’s longevity and the sheer volume of packages underscore the challenge of maintaining security in large open-source ecosystems.
The IndonesianFoods Worm: Unpacking the Coordinated Spam Campaign
The IndonesianFoods worm campaign is characterized by its sheer volume, with reports indicating that automated scripts could publish approximately twelve packages per minute, amounting to around 17,000 packages daily. This prolific output was sustained for almost two years across at least eleven distinct user accounts.
A key element of the campaign’s camouflage lies in its naming strategy. Packages are frequently named using common Indonesian first names like “andi” and “budi,” combined with food terms such as “rendang” and “sate,” followed by random numbers and suffixes like “-kyuki” or “-breki.” Examples cited include “zul-tapai9-kyuki” and “andi-rendang23-breki.” This distinctive pattern, while traceable, helped the packages blend into the vast repository.
On initial inspection, the infected packages appeared legitimate, often containing standard Next.js project structures, proper configuration files, and common dependencies like React and Tailwind CSS, complete with professional-looking documentation. This deceptive facade made them difficult to identify as malicious.
According to ENDOR Labs security analysts, these packages were part of an attack strategy first identified in April 2024. Attackers exploited the TEA protocol, which is designed to reward open-source contributions. The platform tracks cryptocurrency rewards for ecosystem participants, and attackers leveraged this system to monetize their extensive spam operations.
Evidence suggests that at least one of the npm maintainer accounts associated with this operation belonged to an Indonesian software engineer, potentially explaining the regional specificity observed in the campaign’s naming conventions and other aspects.
The Worm’s Self-Replicating Mechanism: How Dormant Code Activates and Spreads
The IndonesianFoods worm employs a particularly insidious spreading mechanism, leveraging dependency chains within the npm ecosystem. The malicious code remained dormant within the packages, typically found in hidden script files named “auto.js” or “publishScript.js,” which were unreferenced and inactive until manually triggered.
Once activated, often through commands like “node auto.js,” the malicious script initiates a continuous three-step process. Firstly, it removes the “private”: true flag from the package.json file, a safeguard intended to prevent accidental publication of proprietary code. Secondly, it generates random version numbers, such as “2.3.1,” to circumvent npm’s duplicate detection systems. Thirdly, it updates the package.json and package-lock.json files before executing “npm publish –access public,” a command that floods the registry with new packages in rapid succession, occurring on a seven to ten-second cycle.
The danger posed by this attack is amplified by the fact that each spam package references eight to ten additional spam packages as dependencies. Consequently, when a developer installs a single contaminated package, npm automatically fetches its entire dependency tree. This cascade effect can lead to the installation of over a hundred related spam packages, exponentially increasing the potential for exposure.
Some of these malicious packages had accumulated significant download numbers, reaching thousands of weekly downloads. This widespread adoption created opportunities for attackers to inject actual malicious code in future updates, potentially impacting a massive number of installed systems. The monetization through TEA token rewards further underscores the financial motivation behind this elaborate, two-year operation, with some package documentation openly displaying earned token amounts.
The discovery of the IndonesianFoods worm highlights the ongoing challenges in securing large open-source software repositories. While npm has security measures in place, the sophistication and scale of this campaign demonstrate that vulnerabilities can persist. The focus now shifts towards understanding how such extensive operations can operate undetected for extended periods and what further measures can be implemented to prevent similar future incidents and bolster the security of the npm ecosystem.