- Over 43,000 dormant spam packages flooded npm in a coordinated two-year campaign
- Some packages contained worm-like scripts that automatically generated and published new records
- Attackers may have falsified TEA impact scores to earn decentralized developer rewards
About 1% of the entire npm ecosystem now consists of fake, dormant packages that were uploaded as part of a years-long targeted – and potentially malicious – campaign, experts have claimed.
Cybersecurity researchers Endor Labs discovered more than 43,000 spam packets that took nearly two years to upload in a coordinated effort that took at least 11 different user accounts to retrieve.
“The packages were systematically published over a long period of time and flooded the npm registry with junk packages that survived in the ecosystem for nearly two years,” the researchers said.
TEA token harvest?
The researchers named the campaign IndonesianFoods because of the way the packages are named. The malicious script used for naming contains two internal dictionaries, one with Indonesian names and another with Indonesian food terms. When the script runs, it picks two expressions at random, adds a number, and adds a suffix.
The strange thing is that the packets themselves are not malicious. They are not designed to steal sensitive developer data or to act as a backdoor. Instead, they just lie dormant and collect downloads.
Some packages have thousands of weekly downloads, the researchers explain, suggesting that this gives the attacker a potential advantage: “This allows the attackers to push a malicious commit in the future that would affect all these downloads.”
Some of the packages contained a worm-like script that, if run, would generate and create additional scripts that would then be added to npm.
In addition to malicious potential, the researchers also believe that this could be part of a financially motivated campaign. Apparently some of the packages contained tea.yaml files with TEA accounts. Tea is a decentralized framework protocol where open source developers are rewarded when they contribute software.
This could mean that the attackers tried to falsify their impact score and thus earn more TEA tokens.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
