- More than 43,000 inactive spam packages flooded npm during a two-year coordinated campaign
- Some packages contained worm-like scripts that automatically generated and published new entries.
- Attackers may have forged TEA power points to obtain decentralized developer rewards.
according to experts, about 1% of the entire NPM ecosystem now consists of fake inactive packages uploaded as part of a targeted (and possibly malicious) campaign that has been going on for years.
Endor Labs cybersecurity researchers discovered more than 43,000 spam packages that took nearly two years to download in a coordinated effort that required at least eleven different user accounts.
“Packages were systematically deleted over a long period of time, flooding the NPM registry with unwanted packages that survived in the ecosystem for nearly two years,” the researchers said.
Collect TEA Tokens?
Because of the name of the packaging, the researchers called the campaign “Indonesian Foods”. The malicious script used for naming contains two internal dictionaries, one with Indonesian names and the other with Indonesian food terms. When the script runs, it randomly selects two terms, adds a number, and adds a suffix.
The strange thing is that the packages themselves are not malicious. They are not intended to steal sensitive data from developers or act as a backdoor. Instead, they sit there and collect downloads.
Some packages are downloaded thousands of times per week, the researchers explain, noting that this gives the attacker a potential advantage: “This gives attackers the opportunity to perform a malicious commit in the future that would affect all of these downloads.” »
Some packages contained a worm-like script that, when run, spawned and spawned additional scripts that were then added to npm.
In addition to the potential harm, the researchers believe that this may also be part of a financially motivated campaign. Apparently some packages contain tea.yaml files that contain TEA accounts. Tea is a decentralized framework protocol that rewards open source developers for their software.
This could mean that the attackers tried to falsify their coin values to get more TEA tokens.
IN hacker news