150,000 Package Flood: Amazon Uncovers Massive Token-Farming Attack on npm Registry
One of the largest supply-chain attacks ever recorded in the npm ecosystem has been uncovered, marking a historic event for open-source repositories. According to Amazon’s researchers, the registry faced an unprecedented “flooding” of packages — yet this campaign had a curious twist: the attackers were not attempting to steal credentials, deploy ransomware, or install traditional malware. Their objective was the covert mining of cryptographic tokens.
Amazon Inspector first detected suspicious packages in late October, using new detection rules and auxiliary AI-based tooling. By 7 November, the team had counted several thousand dubious uploads, and by 12 November the number of malicious artefacts had surpassed 150,000. The packages were published through multiple developer accounts, indicating careful preparation and tight coordination on the attackers’ part.
All of them were tied to tea.xyz, a decentralised platform that distributes rewards to open-source developers using the TEA token. The token powers the platform’s reward system, staking model and governance. The attack was engineered so that the perpetrators could collect payments from tea.xyz by generating artificial activity through their mass-published packages.
Forbidden knowledge — only for insiders.
Subscribe to us.
Unlike the typical npm attacks seen in recent months, this campaign did not embed modules designed to steal secrets or compromise developer environments. Instead, the attackers pursued a different strategy: they built a self-replicating scheme in which a published package automatically generated new ones and immediately pushed them to the registry. Each publication inflated the “activity metrics” that tea.xyz used for awarding TEA tokens. Thus, the attackers created a mechanism to automatically expand their “open-source contributions” and funnel the resulting tokens into their own wallets.
Each package also contained a tea.yaml file linking it to specific cryptocurrency addresses controlled by the attackers. Importantly, people who inadvertently installed or examined these packages were not exposed to any malicious payload — but nonetheless contributed, unwittingly, to enriching the attackers’ wallets.
To mitigate the campaign’s impact, Amazon coordinated with the Open Source Security Foundation (OpenSSF), forwarding all discovered malicious packages to the appropriate OpenSSF repository. On average, each new package received a MAL-ID within 30 minutes. Although these uploads contained no conventional malware, the threat lay elsewhere: the mass-generated low-quality content overloaded the registry, consumed computational resources, storage and bandwidth, and undermined developer trust in the very infrastructure on which much of modern software depends.
Researchers warn that the success of this artificial token-generation scheme may encourage similar abuses in other systems where participants receive rewards for activity. This raises the risk of new waves of automated package generation in additional repositories — including those where rewards are indirect, such as sponsorship-based or reputation-based ecosystems.
Amazon naturally advises developers to scan their projects with Amazon Inspector, but the broader strategy is universal: prune dead packages, scrutinise dependency origins, and harden the supply chain. Foundational measures include the use of SBOMs (software bills of materials) and isolating CI/CD pipelines to prevent mass-generated junk from infiltrating production workflows.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
