Cybersecurity researchers are calling consideration to a large-scale spam marketing campaign that has flooded the npm registry with 1000’s of pretend packages since early 2024 as a part of a possible financially motivated effort.
“The packages had been systematically printed over an prolonged interval, flooding the npm registry with junk packages that survived within the ecosystem for nearly two years,” Endor Labs researchers Cris Staicu and Kiran Raj mentioned in a Tuesday report.
The coordinated marketing campaign has up to now printed as many as 67,579 packages, in keeping with SourceCodeRED safety researcher Paul McCarty, who first flagged the exercise. The top objective is kind of uncommon – It is designed to inundate the npm registry with random packages relatively than specializing in information theft or different malicious behaviors.
The worm-life propagation mechanism and the usage of a particular naming scheme that depends on Indonesian names and meals phrases for the newly created packages have lent it the moniker IndonesianFoods Worm. The bogus packages masquerade as Subsequent.js initiatives.
“What makes this menace notably regarding is that the attackers took the time to craft an NPM worm, relatively than a singular assault,” McCarty mentioned. “Even worse, these menace actors have been staging this for over two years.”
Some indicators that time to a sustained, coordinated effort embody the constant naming patterns and the truth that the packages are printed from a small community of over a dozen npm accounts.
The worm is situated inside a single JavaScript file (e.g., “auto.js” or “publishScript.js”) in every bundle, staying dormant till a consumer manually runs the script utilizing a command like “node auto.js.” In different phrases, it doesn’t execute routinely throughout set up or as a part of a “postinstall” hook.
It isn’t clear why somebody would go to the extent of working the JavaScript file manually, however the existence of over 43,000 packages suggests both a number of victims executed the script – both by chance or out of curiosity – or the attackers ran it themselves to flood the registry, Henrik Plate, head of safety analysis at Endor Labs, informed The Hacker Information.
“We’ve not discovered proof of a coordinated social engineering marketing campaign, however the code was written with social engineering potential, doable sufferer eventualities embody: faux weblog posts, tutorials, or README entries instructing customers to run ‘node auto.js’ to ‘full setup’ or ‘repair a construct difficulty,’ [and] CI/CD pipeline construct scripts with wildcards one thing like node *.js that execute all JavaScript recordsdata,” Raj added.
“The payload’s dormant design is meant to evade automated detection, by requiring guide execution as a substitute of ‘autorun,’ the attackers scale back the possibility of being flagged by safety scanners and sandboxing programs.”
The guide execution causes the script to provoke a collection of actions in an infinite loop, together with eradicating “personal”: true> from the “bundle.json” file. This setting is usually used to stop unintended publication of personal repositories. It then proceeds to create a random bundle identify utilizing the inner dictionary and assign it a random model quantity to bypass npm’s duplicate model detection.
Within the ultimate stage, the spam bundle is uploaded to npm utilizing the “npm publish” command. The complete course of is repeated in an countless loop, inflicting a brand new bundle to be pushed out each 7 to 10 seconds. This interprets to about 12 packages per minute, 720 per hour, or 17,000 per day.
“This floods the NPM registry with junk packages, wastes infrastructure assets, pollutes search outcomes, and creates provide chain dangers if builders unintentionally set up these malicious packages,” McCarty mentioned.
Based on Endor Labs, the marketing campaign is a part of an assault that was first documented by Phylum (now a part of Veracode) and Sonatype in April 2024 that concerned the publication of 1000’s of spam packages to conduct a “huge automated crypto farming marketing campaign” by abusing the Tea protocol.
“What makes this marketing campaign notably insidious is its worm-like spreading mechanism,” the researchers mentioned. “Evaluation of the ‘bundle.json’ recordsdata reveals that these spam packages don’t exist in isolation; they reference one another as dependencies, making a self-replicating community.”
Thus, when a consumer installs one of many spam packages, it causes npm to fetch all the dependency tree, straining registry bandwidth as extra dependencies are fetched exponentially.
Endor Labs mentioned a number of the attacker-controlled packages, equivalent to arts-dao and gula-dao, embody a tea.yaml file itemizing 5 completely different TEA accounts. The Tea protocol is a decentralized framework that enables open-source builders to be rewarded for his or her software program contributions.
This probably signifies that the menace actors are utilizing this marketing campaign as a monetization vector by incomes TEA tokens by artificially inflating their impression scores. It isn’t clear who’s behind the exercise, however supply code and infrastructure clues recommend it might be somebody working out of Indonesia.
The appliance safety firm has additionally flagged a second variant that employs a unique bundle naming scheme comprising random English phrases (e.g., able_crocodile-notthedevs).
JFrog, which is monitoring the marketing campaign as Large Purple, mentioned the malware reuses a sufferer consumer’s saved npm credentials to publish newly generated packages relentlessly to the repository.
“The code is a straightforward however efficient npm bundle manufacturing facility,” JFrog researcher Andrii Polkovnychenko mentioned. “The result’s a good, absolutely automated loop that may flood the npm ecosystem with giant numbers of superficially legit packages, all derived from the identical code template and differentiated solely by randomized metadata.”
The findings additionally serve to focus on a safety blind spot in safety scanners, that are recognized to flag packages that execute malicious code throughout set up by monitoring lifecycle hooks or detecting suspicious system calls.
“On this case, they discovered nothing as a result of there was nothing to search out on the time of set up,” Endor Labs mentioned. “The sheer variety of packages flagged within the present marketing campaign exhibits that safety scanners should analyze these indicators sooner or later.”
Garrett Calpouzos, principal safety researcher at software program provide chain safety agency Sonatype, characterised IndonesianFoods as a self-publishing worm working at an enormous scale, overwhelming safety information programs within the course of.
“The technical sophistication is not essentially larger — curiously, these packages don’t seem to even attempt to infiltrate developer machines — it is the automation and scale which can be escalating at an alarming price,” Calpouzos mentioned.
“Every wave of those assaults weaponizes npm’s open nature in barely new methods. This one could not steal credentials or inject code, however it nonetheless strains the ecosystem and proves how trivial it’s to disrupt the world’s largest software program provide chain. Whereas the motivation is unclear, the implications are placing.”
When reached for remark, a GitHub spokesperson mentioned the corporate has eliminated the packages in query from npm, and that it is dedicated to detecting, analyzing, and taking down packages and accounts that go towards its insurance policies.
“We’ve disabled malicious npm packages in accordance with GitHub’s Acceptable Use Insurance policies which prohibit posting content material that straight helps illegal lively assault or malware campaigns which can be inflicting technical harms,” the spokesperson added.
“We make use of guide critiques and at-scale detections that use machine studying and continuously evolve to mitigate malicious utilization of the platform. We additionally encourage clients and neighborhood members to report abuse and spam.”
Over 150,000 Spam Packages Linked to the Marketing campaign
Amazon Internet Companies, in a report printed Thursday, mentioned its Amazon Inspector group recognized and reported greater than 150,000 packages linked to a coordinated TEA token farming marketing campaign within the npm registry that has its origins in an preliminary wave that was detected in April 2024.
“This is without doubt one of the largest bundle flooding incidents in open supply registry historical past, and represents a defining second in provide chain safety,” researchers Chi Tran and Charlie Bacon mentioned. “Menace actors routinely generate and publish packages to earn cryptocurrency rewards with out consumer consciousness, revealing how the marketing campaign has expanded exponentially since its preliminary identification.”
The exercise primarily includes triggering a self-replicating automation mechanism that creates packages with out legit performance and publishes them to the npm registry and earns TEA tokens by artificially inflating bundle metrics by means of automated replication and dependency chains.
The tech large mentioned the incident, whereas not overtly malicious in nature, illustrates how monetary incentives can gasoline abuse of a bundle repository and its infrastructure at scale, polluting the ecosystem with low-quality, non-functional packages that may undermine belief within the software program provide chain.
“Even packages that appear benign can add pointless dependencies, probably introducing surprising behaviors or creating confusion in dependency decision,” the researchers added.
(The story was up to date after publication to incorporate insights from Amazon.)
