A self-spreading npm package campaign named ‘IndonesianFoods’ has published over 100,000 packages, creating a massive volume of junk that could threaten the supply chain. Although initially not malicious, this attack’s scale and automation pose a significant risk for future malware injection. #IndonesianFoods #npmattack
Keypoints
- The ‘IndonesianFoods’ campaign involves auto-publishing over 100,000 npm packages using Indonesian cuisine names.
- The attack leverages automation to overwhelm security systems and disrupt the open-source ecosystem.
- While current packages lack malicious payloads, future updates could introduce dangerous malware.
- The campaign has employed blockchain-based TEA Protocol abuses to monetize the attack with TEA tokens.
- Developers are advised to lock dependency versions and monitor for abnormal package publishing patterns.