Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign

A financially motivated threat actor automated the package publishing process in a coordinated tea.xyz token farming campaign.

More than 150,000 malicious packages were published in the NPM registry as part of a recently uncovered spam campaign, Amazon reports.

The packages contain a self-replicating worm designed to generate and publish new packages in an infinite loop, constantly spamming the registry.

Previous reports on the activity identified roughly 80,000 packages published across 18 accounts, detailing the automated naming scheme used by the threat actor behind the campaign.

Now, Amazon says it identified twice as many packages between October 24 and November 12, all of which are linked to tea.xyz, a blockchain-based system that rewards open source developers with a native cryptocurrency token.

All packages lack legitimate functionality but contain a self-replicating routine to create more packages, modify their package.json files to make them public, and publish them ...