- Over 150,000 npm packages linked to a TEA token farming scheme were flagged by Amazon Inspector
- Attackers used self-replicating spam packages to fake developer influence and earn crypto rewards
- Researchers are calling it a major supply chain security event that calls for stronger registry defenses and collaboration
Researchers have found tens of thousands of self-replicating, but seemingly pointless, npm packages that appear to be part of a large-scale fraud operation seeking to earn crypto tokens for the fraudsters.
Cybersecurity researchers Endor Labs recently discovered more than 43,000 spam packets that apparently took two years and at least 11 accounts to upload. The packages, which make up about 1% of the entire npm ecosystem, are not malicious in a traditional sense of the word – they do not steal data, provide a backdoor, or encrypt system files. They are self-replicating when downloaded and run.
Endor speculated that they could be made malicious via an update, but also said they could be part of a financially motivated campaign, as some of the packages contained tea.yaml files with TEA accounts.
Confirmation of the suspicions
Tea is a decentralized framework protocol where open source developers are rewarded when they contribute software, which means the attackers may have tried to falsify their power scores and thus earn more TEA tokens.
Now Amazon’s researchers have apparently confirmed these suspicions. In a new report, the company said that its Amazon Inspector (a security assessment service from AWS) was recently updated with a new detection rule, which flagged more than 150,000 packets linked to the tea.xyz token farming campaign – three times the size of the original report.
It took Amazon about a week to go from updating the registration rules to discovering 150,000 packages to validating the results with OpenSSF.
“This is one of the largest package floods in open source registry history and represents a defining moment in supply chain security,” Amazon explained.
“This incident demonstrates both the evolving nature of threats, where economic incentives are driving registry contamination on an unprecedented scale, and the critical importance of industry-community collaboration to defend the software supply chain.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
