The IndonesianFoods Worm: 67,000 Fake npm Packages Flood Registry to Farm Crypto Rewards

by ddos · November 14, 2025

The appearance of tens of thousands of fictitious packages in the npm ecosystem has unexpectedly evolved into a long and perplexing saga that began back in 2024. Specialists observed that over the course of two years, vast quantities of meaningless projects were being added to the JavaScript library catalog—packages that performed no malicious actions during installation, yet proliferated rapidly, polluting search results with junk and placing strain on the platform’s infrastructure.

According to research teams at Endor Labs, Phylum, and Sonatype, this activity represents an unusual scheme in which the creators employ a chain of automated publications to generate tens of thousands of nearly identical packages. Each contains the same file, activated only through manual execution in the console. Once launched, the script removes a protective configuration parameter, generates a random name and version number, and then publishes yet another empty library to the registry. The cycle repeats endlessly, producing an uninterrupted stream of new releases at intervals of just a few seconds.

Analysts highlight a distinctive hallmark of the campaign: highly uniform names based on Indonesian vocabulary. This pattern led them to label the wave IndonesianFoods. Some of these projects reference one another in their dependency lists, causing the installation of a single library to trigger the download of an entire cluster—dramatically amplifying network load. Certain packages also contain configurations for the Tea protocol, a decentralized system for rewarding developers, suggesting attempts to earn digital tokens by artificially inflating activity metrics.

In total, more than 67,000 such publications were identified, including variants that shifted to random English word combinations. The persistence and sheer scale of this operation point to a deliberate, tightly orchestrated process involving a small number of npm accounts. Because the packages exhibited no harmful behavior during installation, they were able to bypass automated defenses, many of which monitor only install-time events and associated hooks.

According to software supply-chain experts, this campaign was not intended to steal data or compromise developers’ machines. Its primary goal was to flood the repository with useless objects—an act that is itself damaging to the ecosystem. The operation also underscores a significant blind spot in defensive tooling: the difficulty of identifying threats that manifest only after files are manually executed rather than during installation.

GitHub representatives confirmed that the offending packages have been removed and the associated accounts blocked. The company stated that it will continue to track such activity through automated and manual review processes while encouraging the community to report suspicious behavior.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal