- More than 43,000 inactive spam packages flooded npm in a coordinated two-year campaign
- Some packages contained worm-like scripts that automatically generated and published new entries.
- Attackers may have faked TEA impact scores to obtain rewards from decentralized developers
About 1% of the entire npm ecosystem now consists of fake, inactive packages that were uploaded as part of a targeted (and potentially malicious) campaign that lasted for years, experts said.
Cybersecurity researchers Endor Labs discovered more than 43,000 spam packets that took almost two years to load in a coordinated effort that required at least 11 different user accounts to do so.
“The packages were systematically released over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” the researchers said.
TEA token harvest?
The researchers named the campaign IndonesianFoods because of the way the packages are named. The malicious script used for naming contains two internal dictionaries, one with Indonesian names and another with Indonesian food terms. When the script runs, it selects two terms at random, adds a number, and adds a suffix.
The strange thing is that the packages themselves are not malicious. They are not designed to steal sensitive data from developers or act as a backdoor. Instead, they just sit there, inactive, accumulating downloads.
Some packages have thousands of downloads per week, the researchers explain, hinting that this gives the attacker a potential advantage: “This leaves an opportunity for attackers to push a malicious commit in the future that would affect all of those downloads.”
Some of the packages contained a worm-like script that, if executed, would spawn and create additional scripts that would then be added to npm.
In addition to the malicious potential, researchers also believe this could be part of a financially motivated campaign. Apparently, some of the packages included tea.yaml files, which listed TEA accounts. Tea is a decentralized framework protocol where open source developers are rewarded for contributing software.
This could mean that the attackers tried to fake their impact scores, thus earning more TEA tokens.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
