Amazon researchers uncover major token farming malware scam - over 150,000 malicious packages found

• Over 150,000 npm packages linked to a TEA token farming scheme were flagged by Amazon Inspector
• Attackers used self-replicating spam packages to fake developer impact and earn crypto rewards
• Researchers call it a major supply chain security event, urging stronger registry defenses and collaboration

Researchers have found tens of thousands of self-replicating, yet seemingly pointless, npm packages, which appear to be part of a large-scale fraud operation looking to earn crypto tokens for the fraudsters.

Cybersecurity researchers Endor Labs recently discovered more than 43,000 spam packages that apparently took two years, and at least 11 accounts, to upload. The packages, making up roughly 1% of the entire npm ecosystem, are not malicious in a traditional sense of the word - they’re not stealing data, providing a backdoor, or encrypting system files. They are, self-replicating when they’re downloaded and run.

Endor speculated that they could ...