Over 67,000 Fake Npm Packages Flood Registry In Worm-like Spam Attack
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.
"The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report.
The coordinated campaign has so far published as many as 67,579 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It's designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors.
The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods. The bogus packages masquerade as Next.js projects.
"What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack," McCarty said. "Even worse, these threat actors have been staging this for over two years."
Some signs that point to a sustained, coordinated effort include the consistent naming patterns and the fact that the packages are published from a small network of over a dozen npm accounts.
The worm is located within a single JavaScript file (e.g., "auto.js" or "publishScript.js") in each package, staying dormant until a user manually runs the script using a command like "node auto.js." In other words, it does not execute automatically during installation or as part of a "postinstall" hook.
It's not clear why someone would go to the extent of running JavaScript manually, but the existence of over 43,000 packages suggests either multiple victims executed the script – either by accident or out of curiosity – or the attackers ran it themselves to flood the registry, Henrik Plate, head of security research at Endor Labs, told The Hacker News.
"We haven't found evidence of a coordinated social engineering campaign, but the code was written with social engineering potential, possible victim scenarios include: fake blog posts, tutorials, or README entries instructing users to run 'node auto.js' to 'complete setup' or 'fix a build issue,' [and] CI/CD pipeline build scripts with wildcards something like node *.js that
Source: The Hacker News
